[Full-disclosure] Outlook Express 6.0 : link destination obfuscation
Romain Vergniol
romain.vergniol at cegedim.fr
Wed Jan 4 10:25:33 GMT 2006
Hello FD readers,
did anyone already noticed that on Outlook Express 6.0, when a link is
longer than 512 bytes, the destination is not displayed at all in the
status bar ?
Tested on Outlook Express 6.0 on WinXP Pro SP2 FR, does not work on Outlook
2003 Win XP SP2 FR.
Ex :
<a href="http://www.exemple.com/+(500 random chars)">www.bank.com</a>
It could be used in phishing attacks for exemple to hide real link
destination.
Could it be considered as a security issue ?
Kind regards,
Romain Vergniol
Full-Disclosure is hosted and sponsored by Secunia.