I've noticed for a very long time that when you try to copy a link location or open a link on Facebook, it modifies the link and passes it through
For example, I can be sent to
even though my browser render the link preview as
Today, I took a closer look using Firebug and found that Facebook puts
onmousedown="UntrustedLink.bootstrap($(this)[...] in the
<a> tag. The second I right clicked the link, I saw the
href attribute change in Firebug.
This worries me.
The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't become a victim of phishing) now seems to have become useless. Isn't this a security risk? Can't phishing websites misuse this?
Why don't browsers prevent this behavior either by disallowing
onmousedown to change the
href attribute, so that I am sent to the location I thought I going to, not the one change while I was clicking it?
Edit : I want to briefly emphasize that what bothers me more than the risk of phishing is that users are being misled and it simply feels wrong to me that this can happen, whether by a trusted source or not.