Tabnabbing : All your tabs belongs to me!!

Ever heard of the word “tabnabbing”??? well I haven’t until a few days back. Guess what, a new word to the  community and new method of attack to the bad guys!!. Its a new method of attack, that can be used for phishing, unveiled by Aza Raski, Creative Lead of Firefox, exploiting the weakest element in the chain Humans!!.

Well since the introduction of tabbed browsing, most of us surf the web with multiple tabs open, since its very convenient, and keep switching between them.You read news,chat with friends,update your FB status, all in different tabs. Here comes the problem, since all the tabs are open by us, we tends to trust them!!. Its not possible that the webpage in one tab might have changed while we are browsing in another right??.

Wrong!! as demonstrated by Aza, its possible for an attacker to detect that your viewing another tab and change the content of a particular tab to a phishing page.It happens relatively fast so that users won’t normally see the page getting reloaded.

How Exactly the Hack Happens?
1. Someone is sending you a link to a web page say an article about present job market to your gmail id.
2.You open that page in a tab, which seems like a legitimate article.
3.After giving it a quick read, you navigate to another tab to check the cricket score.
4.Attacker’s page detect that you have navigated away and haven’t interacted to it for a while.It replaces the favicon icon with that of gmail’s,the title with “Gmail: Email from Google”,  and change the page contents to look like the login page.
5.As the user scans through the open tabs, he/she will see the familiar looking Gmail favicon and title, without much doubt he/she will be ready to enter the username and password in the page thinking that it might have been automatically signed out, which is a normal situation.
6.The credentials goes to the attacker and you will be redirected back to gmail’s page.

Well the attacker got what we wanted,and you have no clue!!.If the same password/username combination is re-used in a bank OR if the attack is performed with a bank’s login page then the loss of the victim will be much more.

Still not convinced!!!??? See the video and you will understand.
http://vimeo.com/moogaloop.swf?clip_id=12003099&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1

[The video is taken from aza’s original post which you can see here]

So How Do We Fix It?
The attack is based on human psychology,rather than any vulnerability in the software, which makes it difficult to prevent.Firefox is coming up with Firefox Account Manager which will protect users from these kind of attacks and makes logging into websites easier, at least they claim it that way.Another method is to use NoScript to block all the un-necessary scripts/flash/java in a webpage, which will block not only this attack but a bunch of others too.

This entry was posted in Security and tagged , , , , , , . Bookmark the permalink.

7 Responses to Tabnabbing : All your tabs belongs to me!!

  1. Seriously nice piece of info, a suggestion, give users tips on how to deal with it for now. eg : check url always or , currently firefox and chrome supports like for eg: if the site is secure,then they will display it's name to the left of the title bar.the only sad part being facebook has no HTTPS/SSL ability

  2. Joseph says:

    Nice and informative. But still I fear that I'll involuntarily become a victim before recollecting all this in a similar situation…

  3. @abhimanyu thanx..am planning for such a post, facebook have SSL,only thing is that it won't use it by default, change http:// to https:// it will work like a charm :)@jojo..no buddy, once u r aware of it u will definitely think..trust me on this one..:)

  4. I tried it but the problem being it has no signed certificate, atleast in firefox it shows an untrusted connection warning, and adding that exception might be even less secure

  5. @abhi…i believe certificate says it belongs to *.akamai.net thats a legitimate company giving services to all main streams sites like yahho,FB,MSN and all..the problem should be related to timing synch across various servers.So seems to be trust-able than not using it.I am using it anyway.

  6. Good information n its time to explore the same…in fact I did the same way but without tabnabbing 🙂

  7. @pratheeshettan..ya i know wat u did 😛

Comments are closed.