Tabnapping Scams Around the Corner?

scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)

Umm...

[Pojut]

...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?

Nab the tab?

[Anonymous Coward]

This is why it's so important to check the address of the site you're about to log into.

Re:Umm...

[Anonymous Coward]

Yes.

Did you really need to ask?

Re:Umm...

[mgblst]

What if they have it in another tab already? Then it would work.

And if you use this for gmail, or facebook, tabs that people always have opened, it is going to get results.

This is actually incredibly brilliant. I am going to pay more attention to my tabs from now on.

Re:Umm...

[Anonymous Coward]

I think what might be more disturbing is if the application looked at what url your other tabs are and redirected those sites to phishing sites that have copied the layout.

Re:Umm...

[commodore64_love]

Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen. And I would probably fall for it when, in about an hour, I go back to see it. I'd type in my name and password without realizing a thief was watching.

Re:Not exactly.

[jandrese]

The idea is that these users we always hear about who never have less than 50 tabs open can't remember which tabs are which, and if you put up a Facebook login screen or something, then you'll think it's just a timed out Facebook session.

Even before tabbed browsing was popular, you could have done this with minimized or backgrounded windows too. To me the big problem is that he has to create a site that people will feel compelled to leave open while they go off and do something else. That will probably be the most difficult part.

Re:disabling scripts on unfocused tabs?

[roman_mir]

white listing is not an impossible concept, or is it?

Re:A little peeved!

[simoncpu was here]

Are you sure this post is not a scam that is intended to drive traffic to your site?

Re:A little peeved!

[clickety6]

First tab-nabbing and now submission-nabbing where the link in the article changes after submission!

Re:A little peeved!

[mysidia]

Slashdot is about news, not driving traffic to someone's website.

And 'getting traffic' is not some kind of exchange or reward offered for submitting an article.

If a different link is editorially better, then it is expected that the editors will swap it.

Protect Those Morons ... for some reason

[Anonymous Coward]

i am so goddamned tired of hearing these stories that say "oh noes, stupidity might be painful, what will we do, it's so terrible, simpwy tewwible!" if you are stupid you should not breed. if you are stupid, nature has only ever had one cure for that, a little good old Darwinism natural selection. why the fuck do we care so much about them getting ripped off and having some money taken away when we should be sterilizing them surgically?

Re:A little peeved!

[Anonymous Coward]

Regardless of which link is in the story, I still greatly benefit from you having taken the time to write the blog post and submit it to slashdot. Thank you for that.

Oh, you meant benefit to you! What do you think slashdot is? Just a way to generate eyeballs for your personal blog? Screw you for that.

Re:A little peeved!

[Anonymous Coward]

I agree it was transparently disrespectful of CmdrTaco to approve your submission, but with someone elses link. However:

1. The linked article predates your linked blog according to the submission timestamps on each blog
2. The linked article contains further links to relevant information, including a link to the original subject's website and a proof-of-concept site.

I understand the euphoric feeling you got when your submission was accepted, and I also understand that sinking sensation you felt when you realized your blog was not linked-to even though your submission was accepted. That being said, repackaged news is repackaged news is repackaged news and I don't think you will find much sympathy around here that your (arguably, less useful) brand of news repackaging won't be netting you ad dollars like you intended.

Re:Protect Those Morons ... for some reason

[Anonymous Coward]

... why the fuck do we care so much about them getting ripped off and having some money taken away when we should be sterilizing them surgically?

Certain 'officials' would not get elected if that was to happen. Doesn't matter which party.

that's one of the many network effects of having so many stupid people. we should have thought a whole lot harder about protecting people from themselves and defeating natural selection. making hard drugs illegal, putting warning labels on rat poison telling people not to eat it, labels on coffee telling people that a drink prepared with boiling water is hot, food stamps and WIC and other programs that don't first require that the men get a vasectomy and the women get their tubes tied, "fat acceptance" movements, and the notion that a homeowner could ever be held responsible for shooting an intruder who breaks into his home are just a few examples.

Re:A little peeved!

[mcgrew]

That's a valid reason for including the link and for being disappointed that it was replaced - isn't it?

Not in my eyes it isn't, and I wish they'd do it more often -- like when the submission has ten ad-laden one-paragraph pages I wish they'd link to a single page view, whether that site or another. Of course you think your blog was better than krebsonsecurity, but personally I almost never click on any link with "blog" in the name, especially from slashdot. They've gotten a lot of (well deserved) flak in the past for linking a blog that links an original story, and I'm glad they're listening.

Be glad that they didn't rewrite the entire summary as they've done with some of my submissions.

A submission is supposed to benefit the slashdot community, not the submitter. Too often people like you make submissions just to drive traffic to their own site for the money.

Shame on you.

Re:A little peeved!

[Qzukk]

They've gotten a lot of (well deserved) flak in the past for linking a blog that links an original story, and I'm glad they're listening

They're not listening, the blog post they substituted is still just someone bloviating about the original article and proof of concept [azarask.in].

In action, it's scary in a way that just listening to some blogger yak about it doesn't get the point across, and the author points out how to use the :visited detectors and various hacks to detect if you've logged into a site or not to make it even scarier.

Re:if these geniuses

[Garble Snarky]

A legitimate purpose like, say, significant development work on a well-known, large-scale open source project, such as Firefox?

All you had to read was the first sentence of the summary...

Re:So let me get this straight...

[Hurricane78]

And it”d be their own damn fault for having such a mess.
Seriously? You need hundreds of tabs? Did you never hear of doing first things first, and freeing your mind from other stuff? Did they never hear of bookmarks, bookmark folders and saving sessions (e.g. with TabMix Plus)?

Sorry, but there’s a point at with you just deserve it. This is one of them. Like cockroaches in a apartment that looks like a garbage dump.