Tabnapping Scams Around the Corner? 362
scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)
This is one of those stupidly smart things. (Score:4, Informative)
Not exactly. (Score:4, Informative)
Not exactly. From his page on this "exploit"...
So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.
A little peeved! (Score:1, Informative)
Noscript (Score:4, Informative)
This attack only works if you allow Javascript by default, instead of only whitelisting sites that you trust.
Re:So let me get this straight... (Score:4, Informative)
Re:Umm... (Score:4, Informative)
P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."
No, that was Abraham Lincoln, who said "you can fool some of the people all of the time, and all of the people some of the time, but you can't fool all of the people all of the time."
PT Barnum said "there's a sucker born every minute." And both he and Lincoln were correct.
Re:Tabnapping (Score:3, Informative)
window.onblur = function(){
}
BTW, this isn't just a FireFox issue, he's only tested it in FireFox. It also works in Safari and IE 7 but didn't take in Chrome 5 (Mac).
Re: Tab Mix Plus doesn't work well enough (Score:3, Informative)
I tried it out and Protected/Froze/Locked the tab and the exploit ran.
I think it's because the full contents were loaded and it didn't actually try to navigate anywhere.
Re:So let me get this straight... (Score:3, Informative)
No, tab 1 is still the same site as ever, but the page you visited in tab 34 and forgot about 30 minutes ago suddenly looks like a facebook "you have timed out please log in" page. It's even used javascript to change the title of the tab and the favicon.
Pop Quiz! Were you logged into Facebook on tab 48, tab 18, or tab 42???!?!
All it takes is a bit of javascript inserted into a normal site using cross-site scripting, or an intentionally malicious site in the first place, or an adserver serving up whatever javascript anyone pays them to host. This is why I use NoScript.
The original author (not linked in the submission [azarask.in]) points out that you can use the :visited hack to choose a login screen that the user would expect to see. And you can use various other hacks to determine if the user is currently logged into some site or not.
Re:Umm... (Score:3, Informative)
PT Barnum said "there's a sucker born every minute."
No, he didn't [wikipedia.org].
Re:This is one of those stupidly smart things. (Score:3, Informative)
Now, in a two tab scenario, this sequence of events in unlikely. But for a user with 30 tabs open, there is a non-negligible chance that they forget what was on tab 17, and assume they had some reason to log-in to that site. People are really good at justifying actions that make no sense; just because they don't remember opening the site doesn't mean they won't come up with a reason why they would have. If they aren't aware of this exploit and forgot what was on the tab, they'd have little reason to be suspicious.
Basically, this isn't a Firefox specific exploit. Any tabbed browser that doesn't disable all JavaScript by default will behave this way. NoScript and similar extensions will help, but a clever website designer might design the page to be useless without JavaScript. There are enough websites like that that a sufficiently interested user might whitelist it, if only temporarily, and some small percentage of those users may succumb to the trap.
Re:This is one of those stupidly smart things. (Score:3, Informative)