We’re often advised not to click untrusted links, but less often told why. This post will outline a few things that can go wrong when you simply click a link.
In brief, clicking a link can lead to exploitation of vulnerabilities in your environment. These vulnerabilities can be in your apps, computer, local network, web browser, or even in your psyche.
Web app vulnerabilities
A link click can exploit vulnerabilities in web applications you use. The click can send a malicious payload directly to the target web app, or it can load a malicious website, which then sends the payload. A successful attack can result in theft or modification of data from the target web app.
Examples:
- XSS leading to compromise of Apache Foundation
- PortSwigger’s top 10 techniques, published each year
- HackerOne feed of unending web app vulnerabilities
Local service vulnerabilities
Your computer may be running local services like web servers or custom protocol handlers. These could be installed by users or by apps. A malicious website can send requests to these services and exploit vulnerabilities in them.
Examples:
- Zoom local web server allowed websites to start your webcam
- Blizzard update service allowed websites to interact with it (using DNS rebinding)
- Electron apps that registered protocol handlers were vulnerable to RCE
Local network access
Your home or office network is typically walled off from the outside world. However, when you click a link and load a malicious website, your browser executes the website’s JavaScript code. This code runs inside your network (since that’s where the browser is). While the code is sandboxed by your browser, it can still do things like:
- Scan the internal network for devices and ports.
- Exploit internal devices that have web interfaces, like IoT gadgets, printers, and routers.
- Exploit internal web apps, which often have weaker security than internet-facing apps.
Examples:
- A website can target a printer by sending requests to port 9100 and subsequently exploit vulnerabilities there
- The BeEF tool has a feature that maps internal networks
- Corporate networks often have internal apps that set overly permissive CORS or lack authentication. These apps may be internal tools or development versions of public apps. It’s assumed that they’re protected by VPN, but a malicious website can exploit them using cross-origin requests, DNS rebinding, and more.
Browser vulnerabilities
Your web browser may have vulnerabilities, even if it’s a modern and commonly-used browser. When you click a link and load a malicious website, the website can break out of the browser’s security controls. This can allow the website to execute code on your device, install malware, or access your accounts on other websites. Browser plugins may also introduce vulnerabilities.
This is perhaps the most fearsome risk in this list. Someone can gain control over your device simply by having you visit a website. Everyone uses web browsers, so anyone can be targeted. Fortunately however, browser vulnerabilities are not easy to come by, and are quickly patched after discovery.
Examples:
- Chromium document describing some browser attacks: arbitrary code execution, UXSS, and Spectre-like side channel attacks (in the Motivation section)
- Coinbase article on how they were targeted by Firefox exploits
- Evernote plugin for Chrome allowed malicious websites to access other websites
Privacy
Clicking a link and visiting a website may expose your personal information. This can include your IP address, geolocation, operating system, language, browser information, and more. This information can be unique to you, and may be correlated with activity on other websites.
Example:
- EFF website that demonstrates what private information can be leaked (Click “Show full results for fingerprinting” after the test)
Phishing
Clicking a link can take you to a webpage that tricks you (or “phishes” you) into entering your credentials, downloading & running malware, or compromising you in some other way. Good attacks can appear convincing and legitimate.
While phishing could require more than just clicking a link, it is perhaps the most common risk of clicking links, and is frequently the first step in a broader attack.
Examples:
- Phishing campaign targeting O365 OAuth
- Citizen Lab report on a hacking operation that largely used phishing
- How Microsoft Office files can contain malware
Mitigations
Given all that can go wrong, what can you do about it?
It comes down to basic security hygiene. Use U2F/2FA, use a password manager, keep all software up-to-date, avoid installing unnecessary software, limit app permissions to what is necessary, log out of accounts you’re not using, and put untrusted “smart” devices on separate network segments.
To the extent practical, exercise caution with links, especially if unsolicited. Check if the domain is one you trust or expect. Ensure you’re on HTTPS. Be careful of what you enter, approve, download, or run.
Finally, security practitioners need to ensure that their systems and environments are resilient to users clicking on malicious links. It is unreasonable to expect users never to click on malicious links. Typical internet usage involves clicking many links, and good phishing scenarios are difficult to distinguish from legitimate scenarios.