Tabnabbing: Preying on the Perceived Immutability of Tabs

Tuesday May 25th 2010 by Developer.com Staff
Share:

A new phishing take take advantage of tabbed browsers to steal your username and password. It's called 'tabnabbing.'

Aza Raskin is creative lead at Firefox. In a blog post this week, he described and demonstrated a new phishing technique called "tabnabbing."

The way it works is that someone with evil in their heart inserts a tiny bit of JavaScript in one of the many tabs you have open in your web browser. The JavaScript detects when a tab has lost its focus and the page hasn't been interacted with for a while. It then loads a nefarious page - a hook to fish with.

The hook with the fresh worm on it could be a page that looks just like the GMail login screen, or Facebook, or Twitter or your bank's website.

When you see the page, you just assume you've been logged out. You re-enter your login credentials and get tabnabbed.

The fix for this type of attack, Raskin said, is the web browser taking a more active role in protecting the user. This is the type of security problem the Firefox Account Manager is designed to solve.

"User names and passwords are not a secure method of doing authentication; it's time for the browser to take a more active role in being your smart user agent; one that knows who you are and keeps your identity, information, and credentials safe," Raskin said.

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved