Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tabnapping Scams Around the Corner?

Posted by CmdrTaco on from the well-that's-not-very-nice dept.

scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)

7 of 362 comments (clear)

  1. Re:Umm... by mgblst · · Score: 5, Insightful

    What if they have it in another tab already? Then it would work.

    And if you use this for gmail, or facebook, tabs that people always have opened, it is going to get results.

    This is actually incredibly brilliant. I am going to pay more attention to my tabs from now on.

  2. disabling scripts on unfocused tabs? by roman_mir · · Score: 4, Interesting

    Maybe it is time for the browsers to take matters more seriously and block any scripts from running in tabs that are not currently in focus.

    But this can be done in separate windows too, not just in tabs. In terms of whether this is a new concept, let's just say that I have 'seen' this done 10 years ago to gain access to some chat accounts.

    --
    You can't handle the truth.
  3. Re:Not exactly. by WrongSizeGlass · · Score: 4, Interesting

    So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.

    Exactly ... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.

  4. Re:A little peeved! by clickety6 · · Score: 5, Insightful

    First tab-nabbing and now submission-nabbing where the link in the article changes after submission!

    --
    ----------------------------------- My Other Sig Is Hilarious -----------------------------------
  5. Re:A little peeved! by mysidia · · Score: 5, Insightful

    Slashdot is about news, not driving traffic to someone's website.

    And 'getting traffic' is not some kind of exchange or reward offered for submitting an article.

    If a different link is editorially better, then it is expected that the editors will swap it.

  6. Re:A little peeved! by mcgrew · · Score: 5, Insightful

    That's a valid reason for including the link and for being disappointed that it was replaced - isn't it?

    Not in my eyes it isn't, and I wish they'd do it more often -- like when the submission has ten ad-laden one-paragraph pages I wish they'd link to a single page view, whether that site or another. Of course you think your blog was better than krebsonsecurity, but personally I almost never click on any link with "blog" in the name, especially from slashdot. They've gotten a lot of (well deserved) flak in the past for linking a blog that links an original story, and I'm glad they're listening.

    Be glad that they didn't rewrite the entire summary as they've done with some of my submissions.

    A submission is supposed to benefit the slashdot community, not the submitter. Too often people like you make submissions just to drive traffic to their own site for the money.

    Shame on you.

    --
    Free Martian Whores!
  7. Re:A little peeved! by Qzukk · · Score: 4, Insightful

    They've gotten a lot of (well deserved) flak in the past for linking a blog that links an original story, and I'm glad they're listening

    They're not listening, the blog post they substituted is still just someone bloviating about the original article and proof of concept.

    In action, it's scary in a way that just listening to some blogger yak about it doesn't get the point across, and the author points out how to use the :visited detectors and various hacks to detect if you've logged into a site or not to make it even scarier.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.