Redirecting browser tabs via "tabnabbing"
A new type of phishing vulnerability, which relies on users' expectations that browser tabs don't change once loaded, was recently reported by Aza Raskin, Mozilla's creative lead for Firefox. Dubbed "tabnabbing" (also tabjacking and tabnapping among others), the vulnerability is one that could potentially even catch those who are generally security-conscious because it exploits a common trend: having many open tabs and scanning for the "favicon" and title for a web page of interest. If an attacker can cause a tab to appear to be Gmail, for example, they may well be able to trick users into entering their credentials.
The technique used by tabnabbing is not particularly new, but Raskin has combined these techniques into a plausible attack. The basic idea is that a user navigates to an attacker-controlled site—or a site vulnerable to some form of cross-site scripting—and then switches away from that tab. The page has some code that detects when it loses focus and hasn't been used in a while. When it detects that, it switches the title, favicon, and contents of the page to something else entirely.
That "something else entirely" will be a phishing site—one
that looks and acts exactly like a real site, but captures credentials,
credit card numbers, or other sensitive information instead. Users are
likely to choose that tab if they are looking for an open tab corresponding
to the spoofed site. As Raskin puts it: "As the user scans their
many open tabs, the favicon and title act as a strong visual cue—memory is
malleable and moldable and the user will most likely simply think they left
a Gmail tab open.
" The user is likely to just log in without
thinking twice about it, and once that happens, the attacker's code can
send the credentials off to their site and redirect the browser tab to the
real Gmail.
One thing tabnabbing can't do is to spoof the browser address bar, so alert users may notice that their Gmail tab has a dodgy, non-Gmail address associated with it. But how many users actually look after switching to a tab that they half-expect to be open anyway? While spoofing valid addresses directly may not be possible, using Unicode domain names may be a way for the address to look legitimate, as Raskin notes.
Combining tabnabbing with the CSS browser history leak could produce a list of sensitive sites the user has visited—exactly those which might be phished successfully. It is a fairly insidious attack and one that works in all major browsers. Those who use the NoScript Firefox extension are not vulnerable to the standard attack, but they aren't completely invulnerable either.
Brian Krebs wrote about Raskin's report on his blog and noted that NoScript stopped tabnabbing. But in an update, he pointed to Aviv Raff's proof-of-concept that uses:
<META HTTP-EQUIV="refresh" ...>
to change the contents of a tab after a timeout expires. That newly loaded
page can have a different favicon and title, which replicates much of the
standard attack.
NoScript author Giorgio Maone comments
on Krebs's blog that he is considering adding functionality to NoScript to
disallow tabs to refresh themselves from locations other than the current
one. He also notes that Firefox has an option:
"Advanced/[General/]Accessibility/Warn me when web sites try to redirect or
reload the page
" that can be enabled to combat this behavior.
For the future, Raskin points to Firefox Account Manager as a way to help protect users against this kind of attack. It will take a more active role in protecting users from logging into lookalike sites.
It is instructive to try out the demos, both at Raskin's and Raff's sites. Neither does anything actively harmful, but certainly give a good idea of how a phishing attack using the technique might work. Even the most wary might be caught by this one.
| Index entries for this article | |
|---|---|
| Security | Phishing |
| Security | Web browsers |