Summary
Opera’s status bar shows the “title” attribute of a form inputimage, not the form’s “action” URL. This may mislead the user.
Severity: Very low
Problem description
It is possible to make a form input that looks like an image link.If the form input has a “title” attribute, the status bar will showthe “title”. A “title” which looks like a URL can mislead the user,since the title can say http://nice.familiar.com/, while the formaction can be something else.
Opera’s tooltip says “Title:” before the title text, making a spoofURL less convincing. A user who has enabled the status bar anddisabled tooltips can be affected by this. Neither of these settingsare Opera’s defaults.
This exploit is mostly of interest to users who disable JavaScript.If JavaScript is enabled, any link target or form action can beoverridden by the script. The tooltip and the statusbar can onlybe trusted to show the true location if JavaScript is disabled.
Opera’s response
Opera has released version 8.52, which displays the form action URL in the status bar,and both the “title” and the action URL in the tooltip.
Credits
Thanks to Secunia for pointing out how the “title” attributecould be abused to trick the user.
