Fear the tabnap phish

Beware Tabnabbing, a New Type of Phishing Attack
[Via TidBITS]

I can never decide whether I’m happy when a good guy discovers and publicizes a new way of potentially exploiting Internet users. After all, it’s better that we learn about the problem before it appears in the wild, but there’s always a worry that the bad guys wouldn’t have figured it out on their own without the hint. The latest trick, dubbed “tabnabbing,” comes from Aza Raskin, Creative Lead for Firefox (and son of Jef Raskin).

Here’s how it works, and you can watch it happen yourself by loading the proof-of-concept (which is also the page where Raskin explains the exploit). Although Aza Raskin tested primarily with Firefox, I was able to verify that the exploit also works in the Mac versions of Safari, Camino, Opera, and OmniWeb, though not quite in the same way in each. The current version of Google Chrome (5.0.375.55) appears to be immune from the problem, though it’s possible that Google fixed it quickly, since others have previously reported Chrome as vulnerable.

Imagine you’re browsing the Web and you end up at a particular page, call it SneakyPage. It doesn’t look evil, and it may in fact be a totally legitimate site that has been compromised by a bad guy. But it contains a tiny bit of malicious JavaScript that loads with the page, and that JavaScript does nothing unless you switch to another tab, leaving the tab holding SneakyPage open.

At that point, the malicious JavaScript springs into action, replacing the SneakyPage tab’s favicon, title, and page content. Remember, you’re off in another tab, or even in another program, so you’re not paying attention at this point.

SneakyPage could pretend to be Gmail or Hotmail or Citibank or any other commonly used site. The specifics don’t matter; all it has to do is make you believe that the tab contains a legitimate login form for a service you use.

At some point later, you come back to the tab, see the login form, and decide that yes, you do want to log back in to check your email or your account balance. Once you do so, SneakyPage’s JavaScript snags your login credentials for future nefarious purposes and redirects you to the actual site, so you’re none the wiser that you’ve just fallen victim to a phishing attack.


This is really a scary approach as it can work even if you take normal precautions. The Javascript will morph the page into a new one when you are not looking. Then you come back to is, see that your log-in timed out and decide to log back in. However, even though the page may look like a Gmail page or even your bank’s, it is a fake. It will grab your login information, sent that to its own servers, and then pass you on to the page you thought you were going to. You are none the wiser. The webpages all look right but now someone else has your login information.

To stop this, you can either shut off Javascript, which makes the web pretty much unusable. Or you have to change your behavior. Only login from a new window, not from an old tab.

Most phishing attempts are based on using human nature. Often simply being safe about where one goes is enough. And not clicking links you do not know about.

But this one is really sneaky and requires a major change in behavior in order to be safe.

I have to hope that the browser makers find a way to stop this.