Tabnabbing

Tabnabbing is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular websites by impersonating those sites and convincing the user that the site is genuine. The attack's name was coined in early 2010 by Aza Raskin, a security researcher and design expert.[1][2] The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of browsers to navigate across a page's origin in inactive tabs a long time after the page is loaded. Tabnabbing is different from most phishing attacks in that the user no longer remembers that a certain tab was the result of a link unrelated to the login page, because the fake login page is loaded in one of the long-lived open tabs in their browser.[3]

The attack causes the browser to navigate to the impersonated page after the page has been left unattended for some time. A user who returns after a while and sees the login page may be induced to believe the page is legitimate and enter their login, password and other details that will be used for improper purposes. The attack can be made more likely to succeed if the attacker is able to check for well known websites the user has loaded in the past or in other tabs, and loads a simulation of the same sites. This attack can be done even if JavaScript is disabled, using the "meta refresh" meta element, an HTML attribute used for page redirection that causes a reload of a specified new page after a given time interval.[4]

The NoScript extension for Mozilla Firefox defends both from the JavaScript-based and from the scriptless attack, based on meta refresh, by preventing inactive tabs from changing the location of the page.[5] Because there are legitimate purposes for inactive tab redirects, it cannot be disabled in all browsers by default without breaking some applications. The attack is also not very common, giving browser vendors little incentive to implement a breaking change.

  1. ^ Claburn, Thomas (2010-05-25). "Tabnapping attack makes phishing easy". Information Week. Retrieved 2012-02-19.
  2. ^ "Aza Raskin's original tabnabbing disclosure". Azarask.in. 2010-05-25. Retrieved 2012-02-19.
  3. ^ Christina Warren 164 (2010-05-25). "New Type of Phishing Attack Goes After Your Browser Tabs". Mashable.com. Retrieved 2012-02-19.{{cite web}}: CS1 maint: numeric names: authors list (link)
  4. ^ Adler, Eitan (2010-05-30). "Eitan Adler's thoughts: Tabnabbing Without Javascript". Blog.eitanadler.com. Retrieved 2012-02-19.
  5. ^ "NoScript 1.9.9.81 changelog announcing specific tabnapping protection". Noscript.net. Retrieved 2012-02-19.