Advisory: Internet shortcuts used for phishing in <img> elements
Websites may occasionally want to display image content from untrusted sources. A phishing attack may be carried out by the untrusted source, by displaying malicious instructions on the image, or by navigating the containing page to a similar looking document on another server. Since some image formats, such as Scalable Vector Graphics (SVG), support scripted or plug-in content, websites may use the <img> element to sanitize the content in the image, sandboxing it or preventing active content from running inside the image. This sandboxing behavior is mandated by HTML versions since HTML5, in order to assist sites that attempt to rely on it. If the image redirects to an Internet shortcut, Opera would follow and open them, navigating the containing document to the target page. This has no direct security impact as the address bar will show the correct address when this happens. However, examples of this have been detected in active use, as part of phishing attacks, relying on users not to notice that the page address is incorrect.
Opera Software has released Opera 12.10, which does not follow Internet shortcuts loaded from within inline elements, such as <img> elements.