LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Redirecting browser tabs via "tabnabbing"

By Jake Edge
May 26, 2010

A new type of phishing vulnerability, which relies on users' expectations that browser tabs don't change once loaded, was recently reported by Aza Raskin, Mozilla's creative lead for Firefox. Dubbed "tabnabbing" (also tabjacking and tabnapping among others), the vulnerability is one that could potentially even catch those who are generally security-conscious because it exploits a common trend: having many open tabs and scanning for the "favicon" and title for a web page of interest. If an attacker can cause a tab to appear to be Gmail, for example, they may well be able to trick users into entering their credentials.

The technique used by tabnabbing is not particularly new, but Raskin has combined these techniques into a plausible attack. The basic idea is that a user navigates to an attacker-controlled site—or a site vulnerable to some form of cross-site scripting—and then switches away from that tab. The page has some code that detects when it loses focus and hasn't been used in a while. When it detects that, it switches the title, favicon, and contents of the page to something else entirely.

That "something else entirely" will be a phishing site—one that looks and acts exactly like a real site, but captures credentials, credit card numbers, or other sensitive information instead. Users are likely to choose that tab if they are looking for an open tab corresponding to the spoofed site. As Raskin puts it: "As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open." The user is likely to just log in without thinking twice about it, and once that happens, the attacker's code can send the credentials off to their site and redirect the browser tab to the real Gmail.

One thing tabnabbing can't do is to spoof the browser address bar, so alert users may notice that their Gmail tab has a dodgy, non-Gmail address associated with it. But how many users actually look after switching to a tab that they half-expect to be open anyway? While spoofing valid addresses directly may not be possible, using Unicode domain names may be a way for the address to look legitimate, as Raskin notes.

Combining tabnabbing with the CSS browser history leak could produce a list of sensitive sites the user has visited—exactly those which might be phished successfully. It is a fairly insidious attack and one that works in all major browsers. Those who use the NoScript Firefox extension are not vulnerable to the standard attack, but they aren't completely invulnerable either.

Brian Krebs wrote about Raskin's report on his blog and noted that NoScript stopped tabnabbing. But in an update, he pointed to Aviv Raff's proof-of-concept that uses: 

    <META HTTP-EQUIV="refresh" ...>
to change the contents of a tab after a timeout expires. That newly loaded page can have a different favicon and title, which replicates much of the standard attack.

NoScript author Giorgio Maone comments on Krebs's blog that he is considering adding functionality to NoScript to disallow tabs to refresh themselves from locations other than the current one. He also notes that Firefox has an option: "Advanced/[General/]Accessibility/Warn me when web sites try to redirect or reload the page" that can be enabled to combat this behavior.

For the future, Raskin points to Firefox Account Manager as a way to help protect users against this kind of attack. It will take a more active role in protecting users from logging into lookalike sites.

It is instructive to try out the demos, both at Raskin's and Raff's sites. Neither does anything actively harmful, but certainly give a good idea of how a phishing attack using the technique might work. Even the most wary might be caught by this one.

(Log in to post comments)

Redirecting browser tabs via "tabnabbing"

Posted May 27, 2010 7:35 UTC (Thu) by NicDumZ (guest, #65935) [Link]

Thanks to those mozilla changes related to CSS :visited privacy it seems that soon enough, tabsnappers will not be able to scan visitor's history.
But random shot-in-the-dark tabsnapping attacks targeted to famous websites will still be possible, and will probably fool a lot of users.

Firefox account manager is a promising new security approach: I can't help but notice that in this security model I surrender a lot of my user security awareness to simply hand over most of the security and privacy-related operations to my browser. It is not necessarily a bad thing, just another approach that needs to be cautiously designed to make sure the the new habits spawned by this account manager will not endanger careless users more than the current "you are fully responsible for your actions" method.

If sensible authentication were used...

Posted May 27, 2010 12:02 UTC (Thu) by epa (subscriber, #39769) [Link]

So, once again, why do sites insist on logging in through username and password boxes in a form on the page itself? If instead they used the web browser's built-in support for http digest authentication, the browser can clearly show the web address that the password is going to, *and nothing else*, so no cute Gmail or bank logos or any other visual clues which users come to depend on but are easily spoofable.

(Indeed, it might be a good idea for the browser password dialogue to require you to type in the domain name of the site, if it's one you haven't authenticated to before.)

Using an ordinary HTML form for username-password authentication looks prettier, but I feel it makes spoofing attacks much harder to prevent.

If sensible authentication were used...

Posted May 27, 2010 13:57 UTC (Thu) by niner (subscriber, #26151) [Link]

Well HTTP authentication might be nice if it didn't have a serious drawback: it's just not possible to end a session. Mozilla used to be the only browser that I know of that ever had a logout button for HTTP authentication. It was removed in Firefox to simplify the user interface. You can still add it for example as part of the web developer extensions, but no normal user would have that.

Also it's not possible to end a session from the server side, since the browser is sending valid credentials with every request. It's just a NO GO from a security perspective.

If sensible authentication were used...

Posted May 27, 2010 14:56 UTC (Thu) by TRS-80 (subscriber, #1804) [Link]

They actually added it back in 3.0 as part of the "Clear Private Data..." interface. Also, it is possible to end it from the server side, but it requires a fair bit of hackery. There are plenty of other reasons not to use HTTP auth however, including the inflexibility of the browser UI for providing options like "new user" and "forgot my password".

If sensible authentication were used...

Posted Jun 1, 2010 16:15 UTC (Tue) by epa (subscriber, #39769) [Link]

Agreed. It would need the browser makers to get together to define a basic common interface for web authentication, into which site makers could plug their 'new user' and password reminder pages. Once it's widely deployed, security-conscious sites might start to use it.

If sensible authentication were used...

Posted Jun 1, 2010 16:43 UTC (Tue) by TRS-80 (subscriber, #1804) [Link]

https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager

Redirecting browser tabs via "tabnabbing"

Posted May 27, 2010 13:51 UTC (Thu) by NAR (subscriber, #1313) [Link]

The user is likely to just log in without thinking twice about it

On the other hand the user is likely to notice that the form doesn't offer his/her username and the browser can't fill in the password...

Redirecting browser tabs via "tabnabbing"

Posted May 27, 2010 13:57 UTC (Thu) by jake (editor, #205) [Link]

> On the other hand the user is likely to notice that the form
> doesn't offer his/her username and the browser can't fill in
> the password

Except, of course, for many sites that disable the browser's ability to store username/password. Most of the banking/financial sites seem to be that way these days.

jake

Redirecting browser tabs via "tabnabbing"

Posted May 27, 2010 15:51 UTC (Thu) by Cato (subscriber, #7643) [Link]

LastPass (http://lastpass.com) would also protect against this to some degree, as with any phishing site, by not recognising the site as one for which it has a valid username/password. It's similar to the Firefox account manager but has been around for a while and works on Chrome, Safari, Android, iPhone, etc.

Redirecting browser tabs via "tabnabbing"

Posted May 29, 2010 12:21 UTC (Sat) by mdz@debian.org (subscriber, #14112) [Link]

Chromium allows long-lived tabs to be "pinned" to the left (and smaller), where they are not so easily confused with transient tabs elsewhere. This is a manual process at present, but a similar, automatic feature would help users to distinguish between "familiar" tabs and "foreign" tabs.

Tabnabbing

Posted Feb 27, 2012 22:01 UTC (Mon) by ab.grace (guest, #83166) [Link]

I have read this article ..... a good one... but i have also found some interesting material at http://freefeast.info/general-it-articles/tabnabbing-be-s... regarding Tabnabbing.... Thought you people might like it...

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds