Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:55 AM
Keith Ferrell
Keith Ferrell

Tabnapping Threat Should Have You on Guard

How many tabs do you have open in your browser right now? Potentially, some of them can be tabnapped -- taken over by crooks looking to trick you into re-entering your password and user name.

How many tabs do you have open in your browser right now? Potentially, some of them can be tabnapped -- taken over by crooks looking to trick you into re-entering your password and user name.Tabnapping -- a phishing attack that takes over an inactive browser tab -- is at the moment more talked about than active. But considering how tricky this attack is, look for it to appear in the wild before long.

As described in Firefox creative lead Aza Raskin's blog, a tabnapping attack takes over an inactive browser tab, alters it to resemble a Gmail log-in page, the attacker betting that when the user returns to that tab the supposition will be that they left Gmail open, will log in again, and -- wham! -- the attacker has the user's password and log-in info.

Incidentally, Raskin's blog entry puts his demo where his post is -- tab away from the entry for five seconds and the page gets replaced with a phony gmail log-in image. The demo -- and the attack -- works on all major browsers, according to Raskin.

Not too hard to see even more malicious uses for the attack. Facebook and other social networking log-in pages; bank and other financial info requests; anything that requires a log-in and password, and can be duplicated/faxed by the phishers.

While the technique itself is tricky enough, what should really have our guards up is the bet the phishers will be making -- that you won't remember whether or not you had a Gmail or banking page open and didn't log in, whether you'll think that you session timed out, and whether you're immediate respose to returning to the now-compromised tab will be to log "back" in without giving the matter any further though.

That sort of immediate response is what phishers have counted on to good effect for years in link-laden e-mails and otehr phishing expeditions. See a link, click a link: that's the bet, and for plenty of unfortunate users it's a good, if crooked, wager.

See a log-in page, log-in? Pass the word that log-ins and passwords should only be entered through fresh, user-initiated pages. And tell them to:

Close those tabs!

Don't Miss: 4 Steps To Avoid Social Media Landmines

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...
PUBLISHED: 2020-02-24
controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.
PUBLISHED: 2020-02-24
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind...