Tabnapping Scams Around the Corner? 362
scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)
Sneaky... (Score:4, Interesting)
And, since pages reloading themselves, or even forwarding to a different domain and URL entirely, after a delay is fairly common(if generally annoying) in a wide variety of legitimate applications, you can't really just break the ability to do that. Sure, you could add it as an advanced option somewhere, or get it largely for free with the right NoScript settings; but there is no way you can break it by default.
You pretty much just fall back on the phishing filter, which is a lame, AV-esque "solution". This would seem to apply to all tabbed browsers, as well.
disabling scripts on unfocused tabs? (Score:5, Interesting)
Maybe it is time for the browsers to take matters more seriously and block any scripts from running in tabs that are not currently in focus.
But this can be done in separate windows too, not just in tabs. In terms of whether this is a new concept, let's just say that I have 'seen' this done 10 years ago to gain access to some chat accounts.
Re:Umm... (Score:4, Interesting)
Arguably, that will be the case here. Your basic clueless noobtard will click on just about anything that looks vaguely plausible, and a lot of stuff that doesn't. This technique will be overkill for them, since straight phishing still works just fine.
Your competent power user, on the other hand, may not fall for the trivial cases(two or three tabs, "innocuous-linkfarm.typosquatter.com" changes into "evil.ath.cx/yourbankherereallyhonestly.html" in front of your eyes); but they are the ones most likely to have 10 firefox windows open, each with 20 or 30 tabs, possibly on multiple monitors. Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19. That'd be totally understandable mistake, some percentage of the time, especially if you were tired, distracted, multitasking, or getting sauced enough to face a legacy refactoring project.
Again, tab-related trickery is of no particular use against SSL and cert validation, so the clueful user could detect it that way(unless combined with some attack on SSL, the browser's implementation of it, or the integrity of a trusted certificate authority); but there is no particular reason to suspect that any but the most paranoid user would detect the tab-substitution attack itself.
Solution... (Score:1, Interesting)
Simple solution - don't use tabs in browsers. The first thing I do to any browser I sit in front of, is to immediately disable the use of tabs. I have never understood why many people think they are a good idea - I think they break a heap of good UI principles.
My two cents as far as tabs go, is that a window should be a window - not a collection of tabs - for the simple reason that tabs obfuscate (hide) the content within. Yes, I can see the advantages of tabs within some UIs in certain situations - for example: segmenting "general" from "advanced" preferences; stepping data through a process, or in a rich client application where data is related.
Where tabs are a bad fit for browsing is that the data viewed in web apps is often too disparate - there is no linkage between any of the tabs within a "window" - the content of what is presented within is asynchronous and disconnected - tabs in browsers never have a true relationship with each other. Sure - you might be looking at two related sites, or two pages within a site, but tabs offer nothing (UI-wise) that a window cannot do. A new window offers a single view of a chunk of information; if you need another view, why not simply use another window. A mish mash of windows filled with tabs does not improve the UI in any way.
Re:This is one of those stupidly smart things. (Score:3, Interesting)
You see this, and think "Why didn't someone think about this before?"
Tab Mix Plus [mozilla.org] has had locked tabs [garyr.net] for a while now. I'm not entirely sure if this fixes the issue of tabnapping, but it looks like it might.
Re:A little peeved! (Score:1, Interesting)
Re:A little peeved! (Score:1, Interesting)
Dear Slashdot:
I submitted the above story this morning and was pleased when it was accepted for publication on your website.
However, I was a little peeved to find that the link I included in the story [scam-detectives.co.uk] - was substituted in the final story with this one [krebsonsecurity.com]
Obviously this substitution removes any benefit whatsoever of my having taken the time to write the blog post and submit it to slashdot in the first place.
Any chance of swapping the link back?
Slashdot seems to "favor" krebsonsecurity.com for some reason, and might have some behind the scenes agreement with them to shove traffic to them artificially. Please don't operate under any assumption that the /. "editor" staff is going to be fair and objective. They have their agendas, and have certainly rewrote submissions to suit their purposes in the past.
Re:Not exactly. (Score:5, Interesting)
So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.
Exactly ... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.
Re:Greeted with Logins (Score:1, Interesting)
No, because this is REALLY dangerous for Yahoo Mail.
I'm logged in, and it likes to revert back to login pages all the time! It even makes you login twice "to check your security". So this TabMcNab exploit is going to be really dangerous somewhere. I'm pretty sharp, but that page has cried wolf so many times I would have fallen for this if it was grade-A delivered.
Server delayed HTTP response as a push (Score:3, Interesting)
Even if the scripts are completely disabled on the page, what about a delayed HTTP response, in effect a push to the browser by a server that is done sometime after the page is loaded as a delayed response to the browser request?
It's really hard to avoid all possible scenarios on how a page can be changed from something to something else.
Re:Umm... (Score:3, Interesting)
I bank with HSBC, which is by no means a little no-name bank, and they let me log in with just typed credentials (account details and three digits of a 6-9 digit pin). I wish they'd back this up with some kind of dongle authentication, like other banks, but their answer is to have me install some rubbish plugin if I want added security, which I can't always do if I'm using different machines, working off site, etc. so I have little choice (other than the hassle of changing banks) than to accept their requirements. I have taken to using the on-screen keyboard so that I can enter with mouseclicks rather than keypresses if I'm on an untrusted machine, but other than that I can't do much else.
It seems to me that online security is being loosened rather than tightened, in the name of providing more freedom to users (in other words just not making them jump through a couple more hoops to protect their life savings) - simple text entry, banking on mobile phones, isn't all this just asking for trouble? Ten years ago I could create one-time debit/credit card accounts with a fixed maximum or that expired after X payments or that could only be charged by client Y, etc and yet I have a hard time finding any of that from the major banks today.
Slashdot's catering to its CRONIES? (Score:1, Interesting)
"Slashdot is about news, not driving traffic to someone's website. And 'getting traffic' is not some kind of exchange or reward offered for submitting an article. If a different link is editorially better, then it is expected that the editors will swap it." - by mysidia (191772) on Tuesday May 25, @09:42AM (#32335284)
Ahem: BULLSHIT! Slashdot's altering scamdetect's post is doing EXACTLY WHAT YOU ACCUSE SCAMDETECT OF (basically): Slashdot's editors altering scamdetect's source data is directing traffic to a "crony" of these so-called story editors' favorite/pal/affiliate (their crony in other words) site imo @ least... taking/playing "favorites" in essence.
Krebs on security appears to be a "crony" (or what's the word SEO optimization scammers use? Oh, yes: "Affiliates") of the editors here!
AGAIN: The editors here are in fact violating what you said yourself about "driving traffic to someone else's site" (which is EXACTLY what they're doing by taking out the url link that spamdetect put up, and putting in one of the slashdot editors' own choice instead).
After all - Neither Kreb's article (dated Monday, May 24th, 2010 at 9:07 pm) nor the one scamdetect put up (dated today, Tues. May 25th, 2010) are the original discoverers of this material, so neither one's date data really matter either, as to "whom posted what first"!
Nor is either one better than the other, imo @ least, editorially!
(Now, as far as MY credentials in this field? Ok - I am a multiply degreed college grad here no less in both CSC & MIS, complete with all the English you'd ever need in both of those degrees I have on the subject of computer sciences (along with 16 yrs. of professional experience on my part & being multiply internationally published for my works in this science, plus being featured as tech shows like MS TechEd 2 yrs in a row as a finalist for commercial code work & ideas in the hardest category there in SQLServer Performance Enhancement while on paid contract to do so increasing the programs used effectiveness by 40% or more (block level device driver work & data structuring in said commercial wares of "Enterprise Class" scale classification) for them no less also)).
I wonder who is more qualified on the subject of computing here... myself, or the "editors of slashdot"? I say that, because I disgree with your statements/thoughts, strongly, and I wager that the story editors here aren't even as qualified on this science & subject as I am (nor moreso on their parts in English either).
Secondly: What exactly qualifies Slashdot's editors as to "what's better editorially"?
Again - Do they have degrees in English to substantiate that they themselves are "expert" on what's better, editorially??
I'd wager not.
Man - You're the pot calling the kettle black man!
(Plus, this isn't the first time I have seen this type of shenanigan out of slashdot (or other news websites) either!)
This happens ALL THE TIME (in catering to "partners/affliates/favorites" (spelled sideways = CRONIES!)), & I also feel it's wrong as well.
APK
P.S.=> Bottom-line? Well, I also think scamdetect has every right to be upset that his submission was altered by the story editors here, as to the link submitted data as the source, because I'd actually wager that Brian Krebs may no more qualified as an expert in this area than are the folks that scamdetect originally initially used as his source data in fact - unless someone can show me that Brian Krebs has his CISSP certification, or an actual A.A.S. or B.S. (or better in post grad masters or doctoral work) in CSC related disciplines (or, those CSC degrees specifically those related to computer security actually)... apk
Re:disabling scripts on unfocused tabs? (Score:3, Interesting)
sure, there is also a possibility of a delayed HTTP response to a request, a so-called server push.
Re:Umm... (Score:3, Interesting)
user actually changed tab?
window.onblur()
Being somebody who got 20-30 tabs up and running along with massive tab switching I can't see how i would not spot that its forcefully reloaded and wrong?
Do you know for certain, without looking, what is in tab #8 right this instant? If you had to look, then if you didn't read the exact URL you just lost. If you didn't have to look or you looked at the URL instead of just the title or the icon on the tab, then you would realize that tab #8 was wrong and you would be immune.
I think the majority of people would fall for it, even if they only had three or four tabs open instead of 20-30.