Re: Tab + Kidnapping = 'Tabnabbing"

From: "~BD~" <Boater_Dave@xxxxxxxxxxxxx>
Date: Fri, 2 Jul 2010 00:00:48 +0100

"The Real Truth MVP" <trt@xxxxxxxx> wrote in message news:i0j55q$tm8$1@xxxxxxxxxxxxxxxxxxxxxxxxx

A Firefox developer is warning of a new kind of phishing attack that preys on users' inattention to which tabs they have open in their browsers. The attack is perpetrated by JavaScript code in a specially-crafted page. When users have several tabs open and are not viewing the site with the malicious code, the code surreptitiously changes the destination page after several minutes of inactivity; the favicon and title of the page are changed as well. The attack can be made more personal by perusing users' browsing histories and making the page appear to be one that the user frequents, such as Facebook or a banking login page. When the user goes back to the tab, there is a sign-on screen asking for login credentials. The vulnerability affects all major browsers that run on Mac OS X and Windows.

How the Attack Works

1.A user navigates to your normal looking site.

2.You detect when the page has lost its focus and hasn't been interacted with for a while.

3.Replace the favicon with the Gmail favicon, the title with "Gmail: Email from Google", and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

4.As the user scans their many open tabs, the favicon and title act as a strong visual cue-memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they'll see the standard Gmail login page, assume they've been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.

5.After the user has entered their login information and you've sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

The referenced article below gives more details and methods of avoiding being tabnabbed. Primarily, if an open tab requests a login when you return to it close the tab and go directly to the site.

http://www.computerworld.com/s/article/9177398/How_to_foil_Web_browser_tabnapping_?taxonomyId=85

Thank you for advising of same TRT

If you have time, would you please post to my pals in alt.politics.scorched-earth?

Cheers

Dave

.

Follow-Ups:
- Re: Tab + Kidnapping = 'Tabnabbing"
  - From: Peter Foldes
- Re: Tab + Kidnapping = 'Tabnabbing"
  - From: Dustin Cook

References:
- Tab + Kidnapping = 'Tabnabbing"
  - From: The Real Truth MVP

Prev by Date: Tab + Kidnapping = 'Tabnabbing"
Next by Date: Re: Tab + Kidnapping = 'Tabnabbing"
Previous by thread: Tab + Kidnapping = 'Tabnabbing"
Next by thread: Re: Tab + Kidnapping = 'Tabnabbing"
Index(es):
- Date
- Thread

Relevant Pages

Tab + Kidnapping = Tabnabbing"
... A Firefox developer is warning of a new kind of phishing attack that preys on users' inattention to which tabs they have open in their browsers. ... The attack can be made more personal by perusing users' browsing histories and making the page appear to be one that the user frequents, such as Facebook or a banking login page. ... 3.Replace the favicon with the Gmail favicon, the title with "Gmail: Email from Google", and the page with a Gmail login look-a-like. ... 4.As the user scans their many open tabs, the favicon and title act as a strong visual cue-memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. ...
(alt.comp.anti-virus)
Re: Tab + Kidnapping = Tabnabbing"
... When users have several tabs open and are not viewing the site with the malicious code, the code surreptitiously changes the destination page after several minutes of inactivity; the favicon and title of the page are changed as well. ... The attack can be made more personal by perusing users' browsing histories and making the page appear to be one that the user frequents, such as Facebook or a banking login page. ... 3.Replace the favicon with the Gmail favicon, the title with "Gmail: Email from Google", and the page with a Gmail login look-a-like. ... 4.As the user scans their many open tabs, the favicon and title act as a strong visual cue-memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. ...
(alt.comp.anti-virus)
Re: Tab + Kidnapping = Tabnabbing"
... When users have several tabs open and are not viewing the site with the malicious code, the code surreptitiously changes the destination page after several minutes of inactivity; the favicon and title of the page are changed as well. ... The attack can be made more personal by perusing users' browsing histories and making the page appear to be one that the user frequents, such as Facebook or a banking login page. ... 3.Replace the favicon with the Gmail favicon, the title with "Gmail: Email from Google", and the page with a Gmail login look-a-like. ... 4.As the user scans their many open tabs, the favicon and title act as a strong visual cue-memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. ...
(alt.comp.anti-virus)
Re: Sharing/Security Tab Missing?
... I had him login to another computer and also he doesnt see the Share ... I tried logging into the computer he logged on to I see the Share Tab. ... the domain - no GPO regarding disabling the share/security tabs as ... others in the domain dont have this issue. ...
(microsoft.public.windowsxp.network_web)
Re: Sharing/Security Tab Missing?
... I had him login to another computer and also he doesnt see the Share tab... ... I tried logging into the computer he logged on to I see the Share Tab. ... also dont see the Share tab, both adminstrator and my Domain ... disabling the share/security tabs as others in the domain dont have this ...
(microsoft.public.windowsxp.network_web)