Every image is potentially a URL on Safari, thanks to over-enthusiastic OCR (Optical Character Recognition). This means you can link any image to an external website – and Safari might already be sending your users to unintended destinations.
This all started with the mysterious arrival of ‘zon.com’ on our company homepage. Ric (one of our designers) noticed some suspicious behaviour on our website. He came over to us, loaded our homepage on Safari and hovered over the Amazon logo. To our shock, it showed a link to “Zon.com”. His first questions to us – “Have we been hacked? Why on earth is this URL showing on our homepage?!”
After some investigation with dev tools we didn’t find anything out of the ordinary. So I loaded up Photoshop and made an image that had amazon.com in it. I loaded up Safari and hovered over the image, then a “quick look” menu popped up and gave a link to amazon.com!
This is a Safari feature, it attempts to parse URLs in images. What was happening was because the Amazon logo had an arrow underneath, it was breaking the OCR – this then resulted in the URL being parsed as Zon.com. This is complete madness. Any image you upload to any website can now embed a URL on Safari!
This was parsed and the quick look menu showed, but didn’t allow you to click the URL. I then tried to make the JS URL look more like a regular URL:
This also failed, but then I tried this:
Anyway, I’m off to register Zon.com.