Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tabnapping Scams Around the Corner?

Posted by CmdrTaco on from the well-that's-not-very-nice dept.

scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)

19 of 362 comments (clear)

  1. Umm... by Pojut · · Score: 3, Insightful

    ...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?

    --
    Living With a Nerd
    1. Re:Umm... by mgblst · · Score: 5, Insightful

      What if they have it in another tab already? Then it would work.

      And if you use this for gmail, or facebook, tabs that people always have opened, it is going to get results.

      This is actually incredibly brilliant. I am going to pay more attention to my tabs from now on.

    2. Re:Umm... by Anonymous Coward · · Score: 3, Insightful

      I think what might be more disturbing is if the application looked at what url your other tabs are and redirected those sites to phishing sites that have copied the layout.

    3. Re:Umm... by fuzzyfuzzyfungus · · Score: 3, Interesting

      P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."

      Arguably, that will be the case here. Your basic clueless noobtard will click on just about anything that looks vaguely plausible, and a lot of stuff that doesn't. This technique will be overkill for them, since straight phishing still works just fine.

      Your competent power user, on the other hand, may not fall for the trivial cases(two or three tabs, "innocuous-linkfarm.typosquatter.com" changes into "evil.ath.cx/yourbankherereallyhonestly.html" in front of your eyes); but they are the ones most likely to have 10 firefox windows open, each with 20 or 30 tabs, possibly on multiple monitors. Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19. That'd be totally understandable mistake, some percentage of the time, especially if you were tired, distracted, multitasking, or getting sauced enough to face a legacy refactoring project.

      Again, tab-related trickery is of no particular use against SSL and cert validation, so the clueful user could detect it that way(unless combined with some attack on SSL, the browser's implementation of it, or the integrity of a trusted certificate authority); but there is no particular reason to suspect that any but the most paranoid user would detect the tab-substitution attack itself.

    4. Re:Umm... by mcgrew · · Score: 3, Informative

      P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."

      No, that was Abraham Lincoln, who said "you can fool some of the people all of the time, and all of the people some of the time, but you can't fool all of the people all of the time."

      PT Barnum said "there's a sucker born every minute." And both he and Lincoln were correct.

      --
      Free Martian Whores!
  2. Sneaky... by fuzzyfuzzyfungus · · Score: 3, Interesting

    Obviously, this won't subvert SSL certs or anything; but studies consistently demonstrate that users oscillate between "don't know" and "don't care" about those, so that isn't much comfort.

    And, since pages reloading themselves, or even forwarding to a different domain and URL entirely, after a delay is fairly common(if generally annoying) in a wide variety of legitimate applications, you can't really just break the ability to do that. Sure, you could add it as an advanced option somewhere, or get it largely for free with the right NoScript settings; but there is no way you can break it by default.

    You pretty much just fall back on the phishing filter, which is a lame, AV-esque "solution". This would seem to apply to all tabbed browsers, as well.

  3. This is one of those stupidly smart things. by Securityemo · · Score: 3, Informative

    You see this, and think "Why didn't someone think about this before?"

    --
    Emotions! In your brain!
  4. Re:We need death squads by PhongUK · · Score: 3, Funny

    How do we identify them?

  5. disabling scripts on unfocused tabs? by roman_mir · · Score: 4, Interesting

    Maybe it is time for the browsers to take matters more seriously and block any scripts from running in tabs that are not currently in focus.

    But this can be done in separate windows too, not just in tabs. In terms of whether this is a new concept, let's just say that I have 'seen' this done 10 years ago to gain access to some chat accounts.

    --
    You can't handle the truth.
  6. Not exactly. by khasim · · Score: 3, Informative

    Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen.

    Not exactly. From his page on this "exploit"...

    You can try it out on this very website (I've only tested it in Firefox). Click away to another tab for at least five seconds. Flip to another tab. Do whatever. Then come back to this tab.

    It's hard to find, isn't it? It looks exactly like Gmail. I was lazy and took a screenshot of Gmail which loads slowly. It would be better to recreate the page in HTML.

    So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.

    1. Re:Not exactly. by WrongSizeGlass · · Score: 4, Interesting

      So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.

      Exactly ... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.

  7. Noscript by Wonko+the+Sane · · Score: 3, Informative

    This attack only works if you allow Javascript by default, instead of only whitelisting sites that you trust.

  8. Re:So let me get this straight... by The+MAZZTer · · Score: 3, Informative

    Some people keep 100s of tabs open. They could come back hours later and see a Gmail login screen and assume they opened it at some point.

  9. Re:A little peeved! by clickety6 · · Score: 5, Insightful

    First tab-nabbing and now submission-nabbing where the link in the article changes after submission!

    --
    ----------------------------------- My Other Sig Is Hilarious -----------------------------------
  10. Re:A little peeved! by mysidia · · Score: 5, Insightful

    Slashdot is about news, not driving traffic to someone's website.

    And 'getting traffic' is not some kind of exchange or reward offered for submitting an article.

    If a different link is editorially better, then it is expected that the editors will swap it.

  11. Re:A little peeved! by Anonymous Coward · · Score: 3, Insightful

    Regardless of which link is in the story, I still greatly benefit from you having taken the time to write the blog post and submit it to slashdot. Thank you for that.

    Oh, you meant benefit to you! What do you think slashdot is? Just a way to generate eyeballs for your personal blog? Screw you for that.

  12. Re:A little peeved! by mcgrew · · Score: 5, Insightful

    That's a valid reason for including the link and for being disappointed that it was replaced - isn't it?

    Not in my eyes it isn't, and I wish they'd do it more often -- like when the submission has ten ad-laden one-paragraph pages I wish they'd link to a single page view, whether that site or another. Of course you think your blog was better than krebsonsecurity, but personally I almost never click on any link with "blog" in the name, especially from slashdot. They've gotten a lot of (well deserved) flak in the past for linking a blog that links an original story, and I'm glad they're listening.

    Be glad that they didn't rewrite the entire summary as they've done with some of my submissions.

    A submission is supposed to benefit the slashdot community, not the submitter. Too often people like you make submissions just to drive traffic to their own site for the money.

    Shame on you.

    --
    Free Martian Whores!
  13. Re:A little peeved! by Qzukk · · Score: 4, Insightful

    They've gotten a lot of (well deserved) flak in the past for linking a blog that links an original story, and I'm glad they're listening

    They're not listening, the blog post they substituted is still just someone bloviating about the original article and proof of concept.

    In action, it's scary in a way that just listening to some blogger yak about it doesn't get the point across, and the author points out how to use the :visited detectors and various hacks to detect if you've logged into a site or not to make it even scarier.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  14. Re:A little peeved! by scamdetect · · Score: 3, Funny

    Because you're being a selfish prick.

    I truly value your input. Thank you.