Tabnapping Scams Around the Corner?

← Back to Stories (view on slashdot.org)

Tabnapping Scams Around the Corner?

Posted by CmdrTaco on Tuesday May 25, 2010 @12:54AM from the well-that's-not-very-nice dept.

scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)

5 of 362 comments (clear)

Min score:

Reason:

Sort:

This is one of those stupidly smart things. by Securityemo · 2010-05-25 01:02 · Score: 3, Informative

You see this, and think "Why didn't someone think about this before?"

--
Emotions! In your brain!
Not exactly. by khasim · 2010-05-25 01:12 · Score: 3, Informative

Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen.
Not exactly. From his page on this "exploit"...

You can try it out on this very website (I've only tested it in Firefox). Click away to another tab for at least five seconds. Flip to another tab. Do whatever. Then come back to this tab.
It's hard to find, isn't it? It looks exactly like Gmail. I was lazy and took a screenshot of Gmail which loads slowly. It would be better to recreate the page in HTML.
So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.
Noscript by Wonko+the+Sane · 2010-05-25 01:16 · Score: 3, Informative

This attack only works if you allow Javascript by default, instead of only whitelisting sites that you trust.
Re:So let me get this straight... by The+MAZZTer · 2010-05-25 01:17 · Score: 3, Informative

Some people keep 100s of tabs open. They could come back hours later and see a Gmail login screen and assume they opened it at some point.
Re:Umm... by mcgrew · 2010-05-25 01:55 · Score: 3, Informative

P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."
No, that was Abraham Lincoln, who said "you can fool some of the people all of the time, and all of the people some of the time, but you can't fool all of the people all of the time."
PT Barnum said "there's a sucker born every minute." And both he and Lincoln were correct.

--
Free Martian Whores!