MD/HTML can be used to falsify link targets #12774

pacien · 2020-03-18T15:43:38Z

Description

It's possible to use Markdown/HTML formatting to hide the real target of a link.
This could be used in phishing attacks.

Steps to reproduce

{
  "content": {
    "body": "[https://www.mq.edu.au/about/coronavirus-faqs/updates-from-the-vc](https://www.youtube.com/watch?v=dQw4w9WgXcQ)",
    "format": "org.matrix.custom.html",
    "formatted_body": "<a href=\"https://www.youtube.com/watch?v=dQw4w9WgXcQ\">https://www.mq.edu.au/about/coronavirus-faqs/updates-from-the-vc</a>",
    "msgtype": "m.text"
  }
}

is rendered as:

Mitigation

Other instant messaging apps and most email clients display a warning/confirmation pop-up when clicking on this kind of links, clearly displaying the actual target to the user and letting them choose whether to open it or not.

Version information

Platform: web and desktop
Version: 1.5.12

Riot on mobile might be affected too.

t3chguy · 2020-03-18T15:51:34Z

Duplicate of #7748

pacien added T-Defect ui/ux labels Mar 18, 2020

t3chguy marked this as a duplicate of #7748 Mar 18, 2020

t3chguy closed this as completed Mar 18, 2020

jryans removed the Z-UI/UX label Mar 8, 2021

t3chguy added a commit that referenced this issue Oct 17, 2024

Fix HTML export missing a bunch of Compound variables (#12774)

b4ef5d3

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MD/HTML can be used to falsify link targets #12774

MD/HTML can be used to falsify link targets #12774

pacien commented Mar 18, 2020

t3chguy commented Mar 18, 2020

MD/HTML can be used to falsify link targets #12774

MD/HTML can be used to falsify link targets #12774

Comments

pacien commented Mar 18, 2020

Description

Steps to reproduce

Mitigation

Version information

t3chguy commented Mar 18, 2020