Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tabnapping Scams Around the Corner?

Posted by CmdrTaco on from the well-that's-not-very-nice dept.

scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)

12 of 362 comments (clear)

  1. This is one of those stupidly smart things. by Securityemo · · Score: 3, Informative

    You see this, and think "Why didn't someone think about this before?"

    --
    Emotions! In your brain!
    1. Re:This is one of those stupidly smart things. by ShadowRangerRIT · · Score: 2, Informative
      To be clear, this isn't manipulating another tab. The sequence of events is:
      1. User opens link to seemingly innocuous but malicious site in Tab 1
      2. User goes to Tab 2 to do some other work (tab 2 is immaterial to this; it would work just as well if they switched to another application long enough to forget what they were doing in the browser)
      3. Malicious site in Tab 1 detects that it is unobserved, and replaces itself with a seemingly legitimate log-in page; this need not require a refresh with appropriately designed CSS and JavaScript, so you won't even see any action in the tab bar if you happen to be looking.
      4. User returns to Tab 1, assumes he opened the log-in screen for some reason and enters user name and password

      Now, in a two tab scenario, this sequence of events in unlikely. But for a user with 30 tabs open, there is a non-negligible chance that they forget what was on tab 17, and assume they had some reason to log-in to that site. People are really good at justifying actions that make no sense; just because they don't remember opening the site doesn't mean they won't come up with a reason why they would have. If they aren't aware of this exploit and forgot what was on the tab, they'd have little reason to be suspicious.

      Basically, this isn't a Firefox specific exploit. Any tabbed browser that doesn't disable all JavaScript by default will behave this way. NoScript and similar extensions will help, but a clever website designer might design the page to be useless without JavaScript. There are enough websites like that that a sufficiently interested user might whitelist it, if only temporarily, and some small percentage of those users may succumb to the trap.

      --
      $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
    2. Re:This is one of those stupidly smart things. by Garble+Snarky · · Score: 2, Informative

      The locking prevents the user from navigating to another page. I don't think it has any effect on scripts that were initially loaded with the page.

  2. Not exactly. by khasim · · Score: 3, Informative

    Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen.

    Not exactly. From his page on this "exploit"...

    You can try it out on this very website (I've only tested it in Firefox). Click away to another tab for at least five seconds. Flip to another tab. Do whatever. Then come back to this tab.

    It's hard to find, isn't it? It looks exactly like Gmail. I was lazy and took a screenshot of Gmail which loads slowly. It would be better to recreate the page in HTML.

    So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.

  3. A little peeved! by scamdetect · · Score: 1, Informative

    Dear Slashdot: I submitted the above story this morning and was pleased when it was accepted for publication on your website. However, I was a little peeved to find that the link I included in the story - was substituted in the final story with this one Obviously this substitution removes any benefit whatsoever of my having taken the time to write the blog post and submit it to slashdot in the first place. Any chance of swapping the link back?

  4. Noscript by Wonko+the+Sane · · Score: 3, Informative

    This attack only works if you allow Javascript by default, instead of only whitelisting sites that you trust.

  5. Re:So let me get this straight... by The+MAZZTer · · Score: 3, Informative

    Some people keep 100s of tabs open. They could come back hours later and see a Gmail login screen and assume they opened it at some point.

  6. Re:Umm... by mcgrew · · Score: 3, Informative

    P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."

    No, that was Abraham Lincoln, who said "you can fool some of the people all of the time, and all of the people some of the time, but you can't fool all of the people all of the time."

    PT Barnum said "there's a sucker born every minute." And both he and Lincoln were correct.

    --
    Free Martian Whores!
  7. Re:Tabnapping by WrongSizeGlass · · Score: 2, Informative

    Changing it when you're not looking is done very easily:
    window.onblur = function(){
    ;TIMER = setTimeout(changeItUp, 5000);
    }
    BTW, this isn't just a FireFox issue, he's only tested it in FireFox. It also works in Safari and IE 7 but didn't take in Chrome 5 (Mac).

  8. Re: Tab Mix Plus doesn't work well enough by TaoPhoenix · · Score: 2, Informative

    I tried it out and Protected/Froze/Locked the tab and the exploit ran.

    I think it's because the full contents were loaded and it didn't actually try to navigate anywhere.

    --
    My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
  9. Re:So let me get this straight... by Qzukk · · Score: 2, Informative

    No, tab 1 is still the same site as ever, but the page you visited in tab 34 and forgot about 30 minutes ago suddenly looks like a facebook "you have timed out please log in" page. It's even used javascript to change the title of the tab and the favicon.

    Pop Quiz! Were you logged into Facebook on tab 48, tab 18, or tab 42???!?!

    All it takes is a bit of javascript inserted into a normal site using cross-site scripting, or an intentionally malicious site in the first place, or an adserver serving up whatever javascript anyone pays them to host. This is why I use NoScript.

    The original author (not linked in the submission) points out that you can use the :visited hack to choose a login screen that the user would expect to see. And you can use various other hacks to determine if the user is currently logged into some site or not.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  10. Re:Umm... by nabsltd · · Score: 2, Informative

    PT Barnum said "there's a sucker born every minute."

    No, he didn't.