A new type of phishing vulnerability, which relies on users' expectations
that browser tabs don't change once loaded, was recently reported
by Aza Raskin, Mozilla's creative lead for Firefox. Dubbed "tabnabbing"
(also tabjacking and tabnapping among others), the vulnerability is one
that could potentially even catch those who are generally
security-conscious because it exploits a common trend: having many open
tabs and scanning for the "favicon" and title for a web page of interest.
If an attacker can cause a tab to appear to be Gmail, for example,
they may well be able to trick users into entering their credentials.
The technique used by tabnabbing is not particularly new, but Raskin has
combined these techniques into a plausible attack. The basic idea is that
a user navigates to an attacker-controlled site—or a site vulnerable
to some form of cross-site scripting—and then switches away from that
tab. The page has some code that detects when it loses focus and hasn't
been used in a while. When it detects that, it switches the title,
favicon, and contents of the page to something else entirely.
That "something else entirely" will be a phishing site—one
that looks and acts exactly like a real site, but captures credentials,
credit card numbers, or other sensitive information instead. Users are
likely to choose that tab if they are looking for an open tab corresponding
to the spoofed site. As Raskin puts it: "As the user scans their
many open tabs, the favicon and title act as a strong visual cue—memory is
malleable and moldable and the user will most likely simply think they left
a Gmail tab open." The user is likely to just log in without
thinking twice about it, and once that happens, the attacker's code can
send the credentials off to their site and redirect the browser tab to the
One thing tabnabbing can't do is to spoof the browser address bar, so
alert users may notice that their Gmail tab has a dodgy, non-Gmail address
associated with it. But how many users actually look after switching to a
tab that they half-expect to be open anyway? While spoofing valid
addresses directly may not be possible, using
Unicode domain names may be a way for the address to look legitimate,
as Raskin notes.
Combining tabnabbing with the CSS browser history
leak could produce a list of sensitive sites the user has
visited—exactly those which might be phished successfully. It is a
fairly insidious attack and one that works in all major browsers. Those
who use the NoScript Firefox extension
are not vulnerable to the standard attack, but they aren't completely
Brian Krebs wrote
about Raskin's report on his blog and noted that NoScript stopped
tabnabbing. But in an update, he pointed to Aviv Raff's proof-of-concept
<META HTTP-EQUIV="refresh" ...>
to change the contents of a tab after a timeout expires. That newly loaded
page can have a different favicon and title, which replicates much of the
NoScript author Giorgio Maone comments
on Krebs's blog that he is considering adding functionality to NoScript to
disallow tabs to refresh themselves from locations other than the current
one. He also notes that Firefox has an option:
"Advanced/[General/]Accessibility/Warn me when web sites try to redirect or
reload the page" that can be enabled to combat this behavior.
For the future, Raskin points to Firefox
Account Manager as a way to help protect users against this kind of
attack. It will take a more active role in protecting users from logging
into lookalike sites.
It is instructive to try out the demos, both at Raskin's and Raff's sites.
Neither does anything actively harmful, but certainly give a good idea of
how a phishing attack using the technique might work. Even the most wary
might be caught by this one.
to post comments)