The "<MAP>" Tag URL Spoofing Demo

Vulnerability Details:

An attacker could use "<map>" tag in a html page to spoof the URL that is displayed in the MS IE status bar. This weakness can be exploited by malicious attackers and phishers to create a specially crafted URL using the MAP tag, which can be used to spoof the browser's status bar. This weakness can be a great aid to phishing scammers for their phishing activities.

Note: Firefox is not vulnerable.

Tested on Windows XP with SP1 and IE 6.0.

Proof of Concept

Move your mouse pointer on the image shown below and check your browser's status bar. If the status bar shows "http://www.hotmail.com" then your are vulnerable otherwise it will show the actual link i.e. http://www.hackingspirits.com.

On clicking the image, the user will be directed to http://www.hackingspirits.com instead of http://www.hotmail.com .

Click Here to go back to home page