Forgot your password?
typodupeerror
Security

Tabnapping Scams Around the Corner? 362

Posted by CmdrTaco
from the well-that's-not-very-nice dept.
scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)
This discussion has been archived. No new comments can be posted.

Tabnapping Scams Around the Corner?

Comments Filter:
  • Umm... (Score:3, Insightful)

    by Pojut (1027544) on Tuesday May 25, 2010 @08:57AM (#32334724) Homepage

    ...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?

    • Re:Umm... (Score:5, Insightful)

      by mgblst (80109) on Tuesday May 25, 2010 @09:01AM (#32334792) Homepage

      What if they have it in another tab already? Then it would work.

      And if you use this for gmail, or facebook, tabs that people always have opened, it is going to get results.

      This is actually incredibly brilliant. I am going to pay more attention to my tabs from now on.

      • by PopeRatzo (965947) *

        As long as they leave my Quick Launch bar alone.

      • by delinear (991444)
        As far as I can tell that's exactly what the author is getting at, it's just badly summed up by saying they leave the page. What it means is, you open Facebook or something in one tab, in another tab you go to a site which has an embedded attack that reloads the Facebook tab with a phishing site that looks the same but has some "timeout, please login again" message. To the user it doesn't appear that they left the FB site at all, and likely when they "log in" the phishing site will collect their details and
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      I think what might be more disturbing is if the application looked at what url your other tabs are and redirected those sites to phishing sites that have copied the layout.

    • Re: (Score:3, Insightful)

      Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen. And I would probably fall for it when, in about an hour, I go back to see it. I'd type in my name and password without realizing a thief was watching.

      • Not exactly. (Score:4, Informative)

        by khasim (1285) <brandioch.conner@gmail.com> on Tuesday May 25, 2010 @09:12AM (#32334920)

        Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen.

        Not exactly. From his page on this "exploit"...

        You can try it out on this very website (I've only tested it in Firefox). Click away to another tab for at least five seconds. Flip to another tab. Do whatever. Then come back to this tab.

        It's hard to find, isn't it? It looks exactly like Gmail. I was lazy and took a screenshot of Gmail which loads slowly. It would be better to recreate the page in HTML.

        So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.

        • Re: (Score:3, Insightful)

          by jandrese (485)
          The idea is that these users we always hear about who never have less than 50 tabs open can't remember which tabs are which, and if you put up a Facebook login screen or something, then you'll think it's just a timed out Facebook session.

          Even before tabbed browsing was popular, you could have done this with minimized or backgrounded windows too. To me the big problem is that he has to create a site that people will feel compelled to leave open while they go off and do something else. That will probabl
          • Except your Facebook never times out unless you log into it on another computer or you don't tick the box to stay logged in.. which I suppose some people might if they don't know how to set up multiple accounts on their computer.

            To create a site that people will feel compelled to leave open while they go off and do something else.. that actually sounds incredibly easy - either a porn site or a "humourous" video amalgamation feed type thing which opens the links you click on in a new tab.

            • by delinear (991444)

              Except your Facebook never times out unless you log into it on another computer or you don't tick the box to stay logged in.. which I suppose some people might if they don't know how to set up multiple accounts on their computer.

              More likely users on public machines who might want to have a few windows open while they're working but don't want to have to remember to sign out if they get called away for a few hours and don't have a chance to return to their session.

              To create a site that people will feel compelled to leave open while they go off and do something else.. that actually sounds incredibly easy - either a porn site or a "humourous" video amalgamation feed type thing which opens the links you click on in a new tab.

              Not that easy, in fact, if you could come up with a way to create sites people never wanted to close (and to repeat the success at will, because as soon as your original phishing site got blacklisted you'd have to be able to create a bew one) then you could earn very good

        • Re:Not exactly. (Score:5, Interesting)

          by WrongSizeGlass (838941) on Tuesday May 25, 2010 @09:38AM (#32335220)

          So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.

          Exactly ... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.

          • Exactly ... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.

            AND if you're not using noscript (or equivalent) or you allow that site to run whatever javascript it wants. And so forth.

          • by nmg196 (184961)

            How? You can't check someone's browser history using JavaScript.

      • by Pojut (1027544)

        Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen

        Ah, but like you said, you are logged into Facebook right now. Would you not find it suspicious if when you clicked back over to it, you were greeted with a login screen?

        • like you said, you are logged into Facebook right now. Would you not find it suspicious if when you clicked back over to it, you were greeted with a login screen?

          A lot of web sites periodically invalidate session cookies after 24 hours. In that case, the next link you click even on the legitimate site will present a login screen.

        • by delinear (991444)
          Facebook is just a convenient example people have heard of. There are other sites where such an attack could do a lot more damage and which the user would expect to be periodically logged out of - banking for example, although if you leave a banking session open and logged in while you're working in other tabs you're probably asking for trouble anyway, but that doesn't mean it never happens.
    • Re:Umm... (Score:4, Interesting)

      by fuzzyfuzzyfungus (1223518) on Tuesday May 25, 2010 @09:12AM (#32334922) Journal
      P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."

      Arguably, that will be the case here. Your basic clueless noobtard will click on just about anything that looks vaguely plausible, and a lot of stuff that doesn't. This technique will be overkill for them, since straight phishing still works just fine.

      Your competent power user, on the other hand, may not fall for the trivial cases(two or three tabs, "innocuous-linkfarm.typosquatter.com" changes into "evil.ath.cx/yourbankherereallyhonestly.html" in front of your eyes); but they are the ones most likely to have 10 firefox windows open, each with 20 or 30 tabs, possibly on multiple monitors. Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19. That'd be totally understandable mistake, some percentage of the time, especially if you were tired, distracted, multitasking, or getting sauced enough to face a legacy refactoring project.

      Again, tab-related trickery is of no particular use against SSL and cert validation, so the clueful user could detect it that way(unless combined with some attack on SSL, the browser's implementation of it, or the integrity of a trusted certificate authority); but there is no particular reason to suspect that any but the most paranoid user would detect the tab-substitution attack itself.
      • by KiloByte (825081)

        tab-related trickery is of no particular use against SSL and cert validation,

        And how exactly SSL would help in this case? The phisher will have a legitimate cert for *.scam.com, you're not going to catch it unless you notice the URL is wrong or you run Certificate Patrol.

      • Re:Umm... (Score:4, Informative)

        by mcgrew (92797) * on Tuesday May 25, 2010 @09:55AM (#32335472) Homepage Journal

        P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."

        No, that was Abraham Lincoln, who said "you can fool some of the people all of the time, and all of the people some of the time, but you can't fool all of the people all of the time."

        PT Barnum said "there's a sucker born every minute." And both he and Lincoln were correct.

      • Actually, wrt to banking transactions, I'm cautious enough due to cross-site scripting vulnerabilities that I won't open a bank session when I have any other tabs open.

      • >>>most likely to have 10 firefox windows open, each with 20 or 30 tabs, possibly on multiple monitors. Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19. That'd be totally understandable mistake
        >>>

        I don't understand power users like that. Do you REALLY need to have ~50 different websites open? First off, m

    • People are dumb enough to install Latest Awesome Bling MSN smileypack + FREE TROJANS, they are dumb enough to fall for this. Banks around here do recommend opening an NEW browser window for banking and closing it after done tho as a dumb user safeguard. But they also implement proper 2 factor(what you know + what you have, a smart card with pin needed to use certificates) authentication system. Legacy 1.5 factor system is severely limited(sum you can move is ridiculously small) already and will be phased
      • by sglane81 (230749)

        This does not prey on smart or dumb. This preys on how much information you can hold in your head at the same time. Miller's magic number 7. When you go beyond 7 things, you'll have to access different memory which is where the sleight of hand is at play.

        http://en.wikipedia.org/wiki/The_Magical_Number_Seven,_Plus_or_Minus_Two [wikipedia.org]

      • by KiloByte (825081)

        The phisher will just proxy your session to the real bank. Except, when you make that transfer, oops!, it will go to a different account. All while displaying the account you wanted on your screen.

    • ...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?

      Having cleaned malware from at least a dozen computers/hard drives in the last couple months alone... Yes.

    • by erroneus (253617)

      Actually, in theory, they already had their bank web page up and when they weren't looking, some other code/app changes that page to a phishing page that looks like the bank's site except that it say "session timed out, please log in again." At which point, the user provides his username and password to restore his session.

      Not only do I see the average Joe falling for this sort of attack, I see *ME* falling for such an attack. I use uncommon financial and insurance companies and I have never seen a phishi

    • ...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?

      Short answer, yes! Long answer, yes!

      It's not even about being stupid or being dumb but the majority of people is simply clueless. It's their computer and that's safe by definition. They can't imagine that anything they see in their browser (or other program) they started up themselves could be malicious.

      They had to be taught to not click on links in their mail and you expect that very same group to know that a website can be evil too, even if it looks exactly, pixelperfect, the same as the website they usu

    • are people really dumb enough to

      For any way that you can finish that sentence, the answer is always 'some people are, yes'. The question is how many people are dumb enough. If the end result is someone else having access to your bank account, then even a few people can make it worthwhile.

  • People who do this crap of stealing people's accounts or identities should be shot.

    • Re: (Score:3, Funny)

      by PhongUK (1301747)
      How do we identify them?
      • by Chrisq (894406)

        People who do this crap of stealing people's accounts or identities should be shot.

        How do we identify them?

        Why not ask the RIAA. They identify lots of copyright infringers. What could possibly go wrong.

    • On second thought, since government does sometimes convict innocent people, let's avoid the death penalty. Let's make these creeps lifelong indentured servant to whomever they have harmed. I wouldn't mind having the guy who stole my credit card and purchased $4000 at Walmart serve as my maid for a summer.

      • Re: (Score:2, Funny)

        by AndrewBC (1675992)

        New plan: steal my own identity sloppily under the guise of your identity which I stole perfectly. Now polish my boots!

        • New plan: steal my own identity sloppily under the guise of your identity which I stole perfectly. Now polish my boots!

          Now, that is just evil. Go to your room and think about what you've ... um, on the other hand, stop thinking about that stuff before you come up with an even more devilish plan.

  • Sneaky... (Score:4, Interesting)

    by fuzzyfuzzyfungus (1223518) on Tuesday May 25, 2010 @09:01AM (#32334788) Journal
    Obviously, this won't subvert SSL certs or anything; but studies consistently demonstrate that users oscillate between "don't know" and "don't care" about those, so that isn't much comfort.

    And, since pages reloading themselves, or even forwarding to a different domain and URL entirely, after a delay is fairly common(if generally annoying) in a wide variety of legitimate applications, you can't really just break the ability to do that. Sure, you could add it as an advanced option somewhere, or get it largely for free with the right NoScript settings; but there is no way you can break it by default.

    You pretty much just fall back on the phishing filter, which is a lame, AV-esque "solution". This would seem to apply to all tabbed browsers, as well.
    • by jamesh (87723)

      Obviously, this won't subvert SSL certs or anything

      Are there any browser addons that alert you when you are entering a password into a non-SSL site? That would reduce this problem unless the bad guys got SSL certs or compromised websites with SSL certs, which is less common. And even then, the addon could flash something down the bottom like "entering password for yourbank.com" vs "entering password for yourbank.com.badguy.ru". You'd have to be observant but less actively so.

  • by Securityemo (1407943) on Tuesday May 25, 2010 @09:02AM (#32334796) Journal
    You see this, and think "Why didn't someone think about this before?"
    • Re: (Score:3, Interesting)

      by supersloshy (1273442)

      You see this, and think "Why didn't someone think about this before?"

      Tab Mix Plus [mozilla.org] has had locked tabs [garyr.net] for a while now. I'm not entirely sure if this fixes the issue of tabnapping, but it looks like it might.

      • I tried it out and Protected/Froze/Locked the tab and the exploit ran.

        I think it's because the full contents were loaded and it didn't actually try to navigate anywhere.

      • Re: (Score:3, Informative)

        by Garble Snarky (715674)
        The locking prevents the user from navigating to another page. I don't think it has any effect on scripts that were initially loaded with the page.
  • Without having RTFA:

    That sounds a lot more complicated as you'd need to hack at least one high traffic website, read the cookies stored by the browser, and then force a meta-refresh only when the user isn't looking.

    • Re: (Score:3, Informative)

      Changing it when you're not looking is done very easily:
      window.onblur = function(){
      ;TIMER = setTimeout(changeItUp, 5000);
      }

      BTW, this isn't just a FireFox issue, he's only tested it in FireFox. It also works in Safari and IE 7 but didn't take in Chrome 5 (Mac).
  • by roman_mir (125474) on Tuesday May 25, 2010 @09:08AM (#32334868) Homepage Journal

    Maybe it is time for the browsers to take matters more seriously and block any scripts from running in tabs that are not currently in focus.

    But this can be done in separate windows too, not just in tabs. In terms of whether this is a new concept, let's just say that I have 'seen' this done 10 years ago to gain access to some chat accounts.

    • Except this would break AJAX applications that need to send heartbeats, such as chat applications.
    • by jafiwam (310805)
      Maybe, as an option with a white list for sites. I say this, because Slashdot would be completely useless if there weren't options. It takes 90 seconds to load all the crap scripting in FireFox if there is more than 100 or so comments. One of the nice things about using tabs, is one window can contain whatever slow-assed crap I am trying to pull up researching some dumb error or other. Having the tab do nothing while not being viewed would remove 99% of the usefulness of tabs.
    • Except for the fact that the Web Browser like it or not, is more then just a web browser it is an interface platform for applications. You can bitch and moan all you want. However the Web Apps are here and they are going to stay for a long time. Every time you try to block a security issue you close an other door for honest development. So the easy fix of saying you can cross script to other tabs or windows sounds like an easy fix... It really isn't.

      • by roman_mir (125474)

        I don't know who is bitching or moaning, but the suggestion is totally reasonable when provided with a white-list, so the sites you want to run scripts on background will be able to if the browser warns the user that there are scripts on the background that await execution and that switching from the tab will stop them.

        Then the proverbial: Cancel/Allow or something to that effect would add this site to a white-list.

        So, no need for your dramatic epithets.

  • I'm supposed to open a tab, go to a website, open a second tab, go to a compromised website which changes the content of the first tab without my interaction, and then log on to the site presented in the first tab? Don't you think that I'll notice that I'm not on the same website I was on previously?

    Seriously, all of these types of attacks rely on the user having the mental capacity of a damp shoelace. Maybe letting them get bitten every so often will teach them to pay more attention to what's going on, a
    • by The MAZZTer (911996) <megazzt@@@gmail...com> on Tuesday May 25, 2010 @09:17AM (#32334990) Homepage
      Some people keep 100s of tabs open. They could come back hours later and see a Gmail login screen and assume they opened it at some point.
      • Re: (Score:3, Insightful)

        by Hurricane78 (562437)

        And it”d be their own damn fault for having such a mess.
        Seriously? You need hundreds of tabs? Did you never hear of doing first things first, and freeing your mind from other stuff? Did they never hear of bookmarks, bookmark folders and saving sessions (e.g. with TabMix Plus)?

        Sorry, but there’s a point at with you just deserve it. This is one of them. Like cockroaches in a apartment that looks like a garbage dump.

    • by PatHMV (701344)
      No, the attack knows what site you had open in tab 1, and replaces the page that had been in there with another page which appears to be from the SAME site. It will have all the right logos and so forth, and will says something like "Your Facebook session has timed out. Please log in again." ... with a very normal looking log-in button right below it. Except that you're not actually on Facebook in that tab anymore. In other words, RTFA. This is a potentially very sophisticated attack which could dupe even
      • Re: (Score:3, Informative)

        by Qzukk (229616)

        No, tab 1 is still the same site as ever, but the page you visited in tab 34 and forgot about 30 minutes ago suddenly looks like a facebook "you have timed out please log in" page. It's even used javascript to change the title of the tab and the favicon.

        Pop Quiz! Were you logged into Facebook on tab 48, tab 18, or tab 42???!?!

        All it takes is a bit of javascript inserted into a normal site using cross-site scripting, or an intentionally malicious site in the first place, or an adserver serving up whatever j

  • who develop these attack vectors used half of their creativity on a legitimate purpose, they'd make 10x the money and earn it completely honestly

    i mean this is a brilliant attack. so, whoever thought this up, why aren't you making millions in a respectable way? you obviously have the brains to do that

    some people just have to be assholes

    • by ascari (1400977)

      Really? I take it you've never tried starting a business? Things like "brilliant" and "brains" often have very little to do with eventual success. Just take a look around you if you need hard evidence.

      Additionally, there are places on the planet (including parts of the US and Western Europe) where opportunities still are limited even for smart people. The Internet and associated scams have opened up possibilities for "geniuses" in such places. So if you ask those geniuses the classic question "If you're

    • Re: (Score:3, Insightful)

      by Garble Snarky (715674)
      A legitimate purpose like, say, significant development work on a well-known, large-scale open source project, such as Firefox?

      All you had to read was the first sentence of the summary...
  • Noscript (Score:4, Informative)

    by Wonko the Sane (25252) * on Tuesday May 25, 2010 @09:16AM (#32334984) Journal

    This attack only works if you allow Javascript by default, instead of only whitelisting sites that you trust.

    • by 0ld_d0g (923931)

      Agree, but sometimes JS files are hosted off separate domains, etc, making white-listing a pain.

  • Can Javascript really access other tabs or windows? Shouldn't it be restricted to its own page/tab/window?

  • by roman_mir (125474) on Tuesday May 25, 2010 @09:47AM (#32335360) Homepage Journal

    Even if the scripts are completely disabled on the page, what about a delayed HTTP response, in effect a push to the browser by a server that is done sometime after the page is loaded as a delayed response to the browser request?

    It's really hard to avoid all possible scenarios on how a page can be changed from something to something else.

  • So this is a pretty clever thing to do. The issues here are that it's sneaky, remarkably effective (even against those who are security-aware), and difficult to stop, since tabbed browsing is generally regarded as a good thing.

    One possible solution would be to have browser support for user-opted website whitelisting. When you visit a site where you require security (banking, etc.) for the first time, you can configure your browser to add the domain to a security-aware whitelist. Every time, from then on, wh

  • As far as I can tell, the script merely waits a while (hoping that the user's attention is diverted) before changing the contents. Surely, the same idea works about as well if the user uses multiple windows rather than multiple tabs. Just as soon as attention is diverted from the appropriate browser and it is covered by other windows, the content could be changed without the user noticing.

    The only difference is that, with multiple windows, a portion of the window may still be visible when the user is look

Genius is one percent inspiration and ninety-nine percent perspiration. -- Thomas Alva Edison

Working...