Tabnapping Scams Around the Corner?

scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)

Umm...

[Pojut]

...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?

Re:Umm...

[mgblst]

What if they have it in another tab already? Then it would work.

And if you use this for gmail, or facebook, tabs that people always have opened, it is going to get results.

This is actually incredibly brilliant. I am going to pay more attention to my tabs from now on.

Re:

[PopeRatzo]

As long as they leave my Quick Launch bar alone.

Re:

[delinear]

As far as I can tell that's exactly what the author is getting at, it's just badly summed up by saying they leave the page. What it means is, you open Facebook or something in one tab, in another tab you go to a site which has an embedded attack that reloads the Facebook tab with a phishing site that looks the same but has some "timeout, please login again" message. To the user it doesn't appear that they left the FB site at all, and likely when they "log in" the phishing site will collect their details and

Re:

[Qzukk]

user actually changed tab?

window.onblur()

Being somebody who got 20-30 tabs up and running along with massive tab switching I can't see how i would not spot that its forcefully reloaded and wrong?

Do you know for certain, without looking, what is in tab #8 right this instant? If you had to look, then if you didn't read the exact URL you just lost. If you didn't have to look or you looked at the URL instead of just the title or the icon on the tab, then you would realize that tab #8 was wrong and you would be

Re:

[Anonymous Coward]

I think what might be more disturbing is if the application looked at what url your other tabs are and redirected those sites to phishing sites that have copied the layout.

Re:

[commodore64_love]

Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen. And I would probably fall for it when, in about an hour, I go back to see it. I'd type in my name and password without realizing a thief was watching.

Not exactly.

[khasim]

Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen.

Not exactly. From his page on this "exploit"...

You can try it out on this very website (I've only tested it in Firefox). Click away to another tab for at least five seconds. Flip to another tab. Do whatever. Then come back to this tab.

It's hard to find, isn't it? It looks exactly like Gmail. I was lazy and took a screenshot of Gmail which loads slowly. It would be better to recreate the page in HTML.

So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.

Re:

[jandrese]

The idea is that these users we always hear about who never have less than 50 tabs open can't remember which tabs are which, and if you put up a Facebook login screen or something, then you'll think it's just a timed out Facebook session.

Even before tabbed browsing was popular, you could have done this with minimized or backgrounded windows too. To me the big problem is that he has to create a site that people will feel compelled to leave open while they go off and do something else. That will probabl

Re:

[somersault]

Except your Facebook never times out unless you log into it on another computer or you don't tick the box to stay logged in.. which I suppose some people might if they don't know how to set up multiple accounts on their computer.

To create a site that people will feel compelled to leave open while they go off and do something else.. that actually sounds incredibly easy - either a porn site or a "humourous" video amalgamation feed type thing which opens the links you click on in a new tab.

Re:

[delinear]

Except your Facebook never times out unless you log into it on another computer or you don't tick the box to stay logged in.. which I suppose some people might if they don't know how to set up multiple accounts on their computer.

More likely users on public machines who might want to have a few windows open while they're working but don't want to have to remember to sign out if they get called away for a few hours and don't have a chance to return to their session.

To create a site that people will feel compelled to leave open while they go off and do something else.. that actually sounds incredibly easy - either a porn site or a "humourous" video amalgamation feed type thing which opens the links you click on in a new tab.

Not that easy, in fact, if you could come up with a way to create sites people never wanted to close (and to repeat the success at will, because as soon as your original phishing site got blacklisted you'd have to be able to create a bew one) then you could earn very good

Re:Not exactly.

[WrongSizeGlass]

So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.

Exactly ... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.

AND if ...

[khasim]

Exactly ... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.

AND if you're not using noscript (or equivalent) or you allow that site to run whatever javascript it wants. And so forth.

Re:

[nmg196]

How? You can't check someone's browser history using JavaScript.

Re:

[Pojut]

Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen

Ah, but like you said, you are logged into Facebook right now. Would you not find it suspicious if when you clicked back over to it, you were greeted with a login screen?

Losing your cookies every 24 hours

[tepples]

like you said, you are logged into Facebook right now. Would you not find it suspicious if when you clicked back over to it, you were greeted with a login screen?

A lot of web sites periodically invalidate session cookies after 24 hours. In that case, the next link you click even on the legitimate site will present a login screen.

Re:

[delinear]

Facebook is just a convenient example people have heard of. There are other sites where such an attack could do a lot more damage and which the user would expect to be periodically logged out of - banking for example, although if you leave a banking session open and logged in while you're working in other tabs you're probably asking for trouble anyway, but that doesn't mean it never happens.

Re:Umm...

[fuzzyfuzzyfungus]

P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."

Arguably, that will be the case here. Your basic clueless noobtard will click on just about anything that looks vaguely plausible, and a lot of stuff that doesn't. This technique will be overkill for them, since straight phishing still works just fine.

Your competent power user, on the other hand, may not fall for the trivial cases(two or three tabs, "innocuous-linkfarm.typosquatter.com" changes into "evil.ath.cx/yourbankherereallyhonestly.html" in front of your eyes); but they are the ones most likely to have 10 firefox windows open, each with 20 or 30 tabs, possibly on multiple monitors. Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19. That'd be totally understandable mistake, some percentage of the time, especially if you were tired, distracted, multitasking, or getting sauced enough to face a legacy refactoring project.

Again, tab-related trickery is of no particular use against SSL and cert validation, so the clueful user could detect it that way(unless combined with some attack on SSL, the browser's implementation of it, or the integrity of a trusted certificate authority); but there is no particular reason to suspect that any but the most paranoid user would detect the tab-substitution attack itself.

Re:

[KiloByte]

tab-related trickery is of no particular use against SSL and cert validation,

And how exactly SSL would help in this case? The phisher will have a legitimate cert for *.scam.com, you're not going to catch it unless you notice the URL is wrong or you run Certificate Patrol.

Re:Umm...

[mcgrew]

P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."

No, that was Abraham Lincoln, who said "you can fool some of the people all of the time, and all of the people some of the time, but you can't fool all of the people all of the time."

PT Barnum said "there's a sucker born every minute." And both he and Lincoln were correct.

Re:

[nabsltd]

PT Barnum said "there's a sucker born every minute."

No, he didn't [wikipedia.org].

Re:

[SatanicPuppy]

Actually, wrt to banking transactions, I'm cautious enough due to cross-site scripting vulnerabilities that I won't open a bank session when I have any other tabs open.

Re:

[commodore64_love]

>>>most likely to have 10 firefox windows open, each with 20 or 30 tabs, possibly on multiple monitors. Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19. That'd be totally understandable mistake
>>>

I don't understand power users like that. Do you REALLY need to have ~50 different websites open? First off, m

Re:

[fuzzyfuzzyfungus]

Depending on the market they happen to live in, any power user who wants a bank...

Re:

[Pojut]

^This. My bank asks for the standard username and password, but then on the next screen they request your PIN. You don't type it in, though...it's completely mouse driven. So not only do they have the extra protection of needing a PIN, but it helps thwart keyloggers because you don't actually type it in.

Re:

[delinear]

I bank with HSBC, which is by no means a little no-name bank, and they let me log in with just typed credentials (account details and three digits of a 6-9 digit pin). I wish they'd back this up with some kind of dongle authentication, like other banks, but their answer is to have me install some rubbish plugin if I want added security, which I can't always do if I'm using different machines, working off site, etc. so I have little choice (other than the hassle of changing banks) than to accept their requir

Re:

[AlexiaDeath]

People are dumb enough to install Latest Awesome Bling MSN smileypack + FREE TROJANS, they are dumb enough to fall for this. Banks around here do recommend opening an NEW browser window for banking and closing it after done tho as a dumb user safeguard. But they also implement proper 2 factor(what you know + what you have, a smart card with pin needed to use certificates) authentication system. Legacy 1.5 factor system is severely limited(sum you can move is ridiculously small) already and will be phased

Re:

[sglane81]

This does not prey on smart or dumb. This preys on how much information you can hold in your head at the same time. Miller's magic number 7. When you go beyond 7 things, you'll have to access different memory which is where the sleight of hand is at play.

http://en.wikipedia.org/wiki/The_Magical_Number_Seven,_Plus_or_Minus_Two [wikipedia.org]

Re:

[KiloByte]

The phisher will just proxy your session to the real bank. Except, when you make that transfer, oops!, it will go to a different account. All while displaying the account you wanted on your screen.

Re:

[Taibhsear]

...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?

Having cleaned malware from at least a dozen computers/hard drives in the last couple months alone... Yes.

Re:

[erroneus]

Actually, in theory, they already had their bank web page up and when they weren't looking, some other code/app changes that page to a phishing page that looks like the bank's site except that it say "session timed out, please log in again." At which point, the user provides his username and password to restore his session.

Not only do I see the average Joe falling for this sort of attack, I see *ME* falling for such an attack. I use uncommon financial and insurance companies and I have never seen a phishi

Re:

[dtml-try MyNick]

...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?

Short answer, yes! Long answer, yes!

It's not even about being stupid or being dumb but the majority of people is simply clueless. It's their computer and that's safe by definition. They can't imagine that anything they see in their browser (or other program) they started up themselves could be malicious.

They had to be taught to not click on links in their mail and you expect that very same group to know that a website can be evil too, even if it looks exactly, pixelperfect, the same as the website they usu

Re:

[TheRaven64]

are people really dumb enough to

For any way that you can finish that sentence, the answer is always 'some people are, yes'. The question is how many people are dumb enough. If the end result is someone else having access to your bank account, then even a few people can make it worthwhile.

We need death squads

[commodore64_love]

People who do this crap of stealing people's accounts or identities should be shot.

Re:

[PhongUK]

How do we identify them?

Re:

[Chrisq]

People who do this crap of stealing people's accounts or identities should be shot.

How do we identify them?

Why not ask the RIAA. They identify lots of copyright infringers. What could possibly go wrong.

Re:

[commodore64_love]

On second thought, since government does sometimes convict innocent people, let's avoid the death penalty. Let's make these creeps lifelong indentured servant to whomever they have harmed. I wouldn't mind having the guy who stole my credit card and purchased $4000 at Walmart serve as my maid for a summer.

Re:

[AndrewBC]

New plan: steal my own identity sloppily under the guise of your identity which I stole perfectly. Now polish my boots!

Re:

[WrongSizeGlass]

New plan: steal my own identity sloppily under the guise of your identity which I stole perfectly. Now polish my boots!

Now, that is just evil. Go to your room and think about what you've ... um, on the other hand, stop thinking about that stuff before you come up with an even more devilish plan.

Sneaky...

[fuzzyfuzzyfungus]

Obviously, this won't subvert SSL certs or anything; but studies consistently demonstrate that users oscillate between "don't know" and "don't care" about those, so that isn't much comfort.

And, since pages reloading themselves, or even forwarding to a different domain and URL entirely, after a delay is fairly common(if generally annoying) in a wide variety of legitimate applications, you can't really just break the ability to do that. Sure, you could add it as an advanced option somewhere, or get it largely for free with the right NoScript settings; but there is no way you can break it by default.

You pretty much just fall back on the phishing filter, which is a lame, AV-esque "solution". This would seem to apply to all tabbed browsers, as well.

Re:

[jamesh]

Obviously, this won't subvert SSL certs or anything

Are there any browser addons that alert you when you are entering a password into a non-SSL site? That would reduce this problem unless the bad guys got SSL certs or compromised websites with SSL certs, which is less common. And even then, the addon could flash something down the bottom like "entering password for yourbank.com" vs "entering password for yourbank.com.badguy.ru". You'd have to be observant but less actively so.

This is one of those stupidly smart things.

[Securityemo]

You see this, and think "Why didn't someone think about this before?"

Re:

[supersloshy]

You see this, and think "Why didn't someone think about this before?"

Tab Mix Plus [mozilla.org] has had locked tabs [garyr.net] for a while now. I'm not entirely sure if this fixes the issue of tabnapping, but it looks like it might.

Re: Tab Mix Plus doesn't work well enough

[TaoPhoenix]

I tried it out and Protected/Froze/Locked the tab and the exploit ran.

I think it's because the full contents were loaded and it didn't actually try to navigate anywhere.

Re:

[Garble Snarky]

The locking prevents the user from navigating to another page. I don't think it has any effect on scripts that were initially loaded with the page.

Re:

[WrongSizeGlass]

NoScript will help because this is done via simple javascript. The 'tab' is not manipulated - a new front-most 'div' appears that displays the fake login screen. I'm sure the same type of thing could be accomplished by changing the document.location via a timer rather than displaying a new div.

The tech behind this type of scam is not new by any means ... it's just that the concept is different.

Re:

[WrongSizeGlass]

The page the exploit takes you to is not legitimate, it just looks legit because it loads a copy of the correct site's login page ... then swaps them if you leave the tab.

Re:

[ShadowRangerRIT]

To be clear, this isn't manipulating another tab. The sequence of events is:

1. User opens link to seemingly innocuous but malicious site in Tab 1
2. User goes to Tab 2 to do some other work (tab 2 is immaterial to this; it would work just as well if they switched to another application long enough to forget what they were doing in the browser)
3. Malicious site in Tab 1 detects that it is unobserved, and replaces itself with a seemingly legitimate log-in page; this need not require a refresh with appropriately des

Tabnapping

[DarkKnightRadick]

Without having RTFA:

That sounds a lot more complicated as you'd need to hack at least one high traffic website, read the cookies stored by the browser, and then force a meta-refresh only when the user isn't looking.

Re:

[WrongSizeGlass]

Changing it when you're not looking is done very easily:
window.onblur = function(){
;TIMER = setTimeout(changeItUp, 5000);
}
BTW, this isn't just a FireFox issue, he's only tested it in FireFox. It also works in Safari and IE 7 but didn't take in Chrome 5 (Mac).

disabling scripts on unfocused tabs?

[roman_mir]

Maybe it is time for the browsers to take matters more seriously and block any scripts from running in tabs that are not currently in focus.

But this can be done in separate windows too, not just in tabs. In terms of whether this is a new concept, let's just say that I have 'seen' this done 10 years ago to gain access to some chat accounts.

Re:

[The MAZZTer]

Except this would break AJAX applications that need to send heartbeats, such as chat applications.

Re:

[roman_mir]

white-listing of sites would fix that problem.

Re:

[jafiwam]

Maybe, as an option with a white list for sites. I say this, because Slashdot would be completely useless if there weren't options. It takes 90 seconds to load all the crap scripting in FireFox if there is more than 100 or so comments. One of the nice things about using tabs, is one window can contain whatever slow-assed crap I am trying to pull up researching some dumb error or other. Having the tab do nothing while not being viewed would remove 99% of the usefulness of tabs.

Re:

[jellomizer]

Except for the fact that the Web Browser like it or not, is more then just a web browser it is an interface platform for applications. You can bitch and moan all you want. However the Web Apps are here and they are going to stay for a long time. Every time you try to block a security issue you close an other door for honest development. So the easy fix of saying you can cross script to other tabs or windows sounds like an easy fix... It really isn't.

Re:

[roman_mir]

I don't know who is bitching or moaning, but the suggestion is totally reasonable when provided with a white-list, so the sites you want to run scripts on background will be able to if the browser warns the user that there are scripts on the background that await execution and that switching from the tab will stop them.

Then the proverbial: Cancel/Allow or something to that effect would add this site to a white-list.

So, no need for your dramatic epithets.

Re:

[roman_mir]

white listing is not an impossible concept, or is it?

Re:

[Lunix Nutcase]

But highly inconvenient to many users so they will get mad and disable such a feature thus negating the entire purpose.

Re:

[roman_mir]

Do you think that a dialog, warning a user who is switching from one screen to another with a 'allow always/never/this time/stay on this page' in case a site is running scripts on the background and then white-listing the site if the 'allow always' button is pushed is such an outrageous concept?

Maybe then the users deserve to have their private information stolen.

This is Internet, it's not your mommy, who will love you no matter what you do (supposedly).

Re:

[Lunix Nutcase]

Do you think that a dialog, warning a user who is switching from one screen to another with a 'allow always/never/this time/stay on this page' in case a site is running scripts on the background and then white-listing the site if the 'allow always' button is pushed is such an outrageous concept?

Yes. That would be a huge annoyance to many users similar to all the UAC dialogs in Vista.

Re:

[roman_mir]

It could be an annoyance, I guess an annoyance of having your bank account emptied is not as big then? Just saying.

Of-course there are other options, like displaying to the user what the page looked like when they left it and what it looks like now, by the time they have returned to it, but again, an annoyance.

Re:

[fuzzyfuzzyfungus]

Technologically, yes. From a human interaction perspective, not really.

Unless you want an audience of only security enthusiasts, having your browser break all sorts of common and legitimate websites by default is a no-go.

If a site is convincing enough to phish somebody, it is probably convincing enough to get them to whitelist it(unless you make whitelisting such a pain in the ass that the bottom 20% of your users can't even figure it out).

If you ship your own whitelist, you face the endless time-a

Re:

[roman_mir]

Well, the point was that a site that does not look like it's trying to phish anything changes all of a sudden (possible to do with a script or with a delayed HTTP response, sort of a server push) and this innocuously looking site morphs into a phishing page.

So if the site was a legitimate one (well, how legitimate is the real Facebook, but still) and then someone hijacked it, then it would be a problem for the user because user would trust Facebook.

If the site is not something that the user is familiar to,

Re:

[tepples]

Then how do you play online games or use chat features on social sites?

They would update in one huge refresh a second after you switch back to them.

Re:

[roman_mir]

Oh, and by the way, 'thinking about suggestions before making them' - that's outdated.

There is time to act and there is time to think.

This here, gentlemen, is not time to think.

(of-course shamelessly ripped off of the Canadian Bacon)

Re:

[roman_mir]

those are great, aren't they? You missed another one: a delayed HTTP response, in effect a server 'push' to the browser.

You use white listing to avoid this problem by detecting if a page is running scripts on the background and presenting the user with the obvious: "run always/never/this time/stay on page" dialog with an explanation of why this is.

If they decide not to pay attention and click on whatever, well, I actually believe in social Darwinism and in this instance it really is not likely that someone

Re:

[roman_mir]

sure, there is also a possibility of a delayed HTTP response to a request, a so-called server push.

So let me get this straight...

[L4t3r4lu5]

I'm supposed to open a tab, go to a website, open a second tab, go to a compromised website which changes the content of the first tab without my interaction, and then log on to the site presented in the first tab? Don't you think that I'll notice that I'm not on the same website I was on previously?

Seriously, all of these types of attacks rely on the user having the mental capacity of a damp shoelace. Maybe letting them get bitten every so often will teach them to pay more attention to what's going on, a

Re:So let me get this straight...

[The MAZZTer]

Some people keep 100s of tabs open. They could come back hours later and see a Gmail login screen and assume they opened it at some point.

Re:

[Hurricane78]

And it”d be their own damn fault for having such a mess.
Seriously? You need hundreds of tabs? Did you never hear of doing first things first, and freeing your mind from other stuff? Did they never hear of bookmarks, bookmark folders and saving sessions (e.g. with TabMix Plus)?

Sorry, but there’s a point at with you just deserve it. This is one of them. Like cockroaches in a apartment that looks like a garbage dump.

Re:

[PatHMV]

No, the attack knows what site you had open in tab 1, and replaces the page that had been in there with another page which appears to be from the SAME site. It will have all the right logos and so forth, and will says something like "Your Facebook session has timed out. Please log in again." ... with a very normal looking log-in button right below it. Except that you're not actually on Facebook in that tab anymore. In other words, RTFA. This is a potentially very sophisticated attack which could dupe even

Re:

[Qzukk]

No, tab 1 is still the same site as ever, but the page you visited in tab 34 and forgot about 30 minutes ago suddenly looks like a facebook "you have timed out please log in" page. It's even used javascript to change the title of the tab and the favicon.

Pop Quiz! Were you logged into Facebook on tab 48, tab 18, or tab 42???!?!

All it takes is a bit of javascript inserted into a normal site using cross-site scripting, or an intentionally malicious site in the first place, or an adserver serving up whatever j

if these geniuses

[circletimessquare]

who develop these attack vectors used half of their creativity on a legitimate purpose, they'd make 10x the money and earn it completely honestly

i mean this is a brilliant attack. so, whoever thought this up, why aren't you making millions in a respectable way? you obviously have the brains to do that

some people just have to be assholes

Re:

[ascari]

Really? I take it you've never tried starting a business? Things like "brilliant" and "brains" often have very little to do with eventual success. Just take a look around you if you need hard evidence.

Additionally, there are places on the planet (including parts of the US and Western Europe) where opportunities still are limited even for smart people. The Internet and associated scams have opened up possibilities for "geniuses" in such places. So if you ask those geniuses the classic question "If you're

Re:

[Garble Snarky]

A legitimate purpose like, say, significant development work on a well-known, large-scale open source project, such as Firefox?

All you had to read was the first sentence of the summary...

Noscript

[Wonko the Sane]

This attack only works if you allow Javascript by default, instead of only whitelisting sites that you trust.

Re:

[0ld_d0g]

Agree, but sometimes JS files are hosted off separate domains, etc, making white-listing a pain.

Can Javascript do this?

[Yvan256]

Can Javascript really access other tabs or windows? Shouldn't it be restricted to its own page/tab/window?

Server delayed HTTP response as a push

[roman_mir]

Even if the scripts are completely disabled on the page, what about a delayed HTTP response, in effect a push to the browser by a server that is done sometime after the page is loaded as a delayed response to the browser request?

It's really hard to avoid all possible scenarios on how a page can be changed from something to something else.

Possible Solution - whitelisting?

[Jahava]

So this is a pretty clever thing to do. The issues here are that it's sneaky, remarkably effective (even against those who are security-aware), and difficult to stop, since tabbed browsing is generally regarded as a good thing.

One possible solution would be to have browser support for user-opted website whitelisting. When you visit a site where you require security (banking, etc.) for the first time, you can configure your browser to add the domain to a security-aware whitelist. Every time, from then on, wh

Why is this about tabs at all?

[phiwum]

As far as I can tell, the script merely waits a while (hoping that the user's attention is diverted) before changing the contents. Surely, the same idea works about as well if the user uses multiple windows rather than multiple tabs. Just as soon as attention is diverted from the appropriate browser and it is covered by other windows, the content could be changed without the user noticing.

The only difference is that, with multiple windows, a portion of the window may still be visible when the user is look

Re:

[Quantumstate]

Tabs usefully group views, so I can open a window which I use for looking up some maths things, another for slashdot stories perhaps. Also current window managers aren't designed for having that many different windows open, so many applications use the tabbed approach like editors/ides.

Tabs can provide a specialized interface for web browsing such as tree style tabs which works very well, providing another level of organisation.

Re:

[The_mad_linguist]

Because I can avoid filling up my list of windows with dozens of instances of firefox when I'm working on a research project. If I have a bunch of tabs open, and only one window, it's far quicker to switch between open office text and back.

Re:

[Iamthecheese]

It certainly does improve the UI. Tabbing covers up the Windows UI problem of not being able to tell the documents you have open if you have enough of them. It does this by using extra screen real estate.
If I open 50 Opera windows I'll see "Opera" in each button in my taskbar but unless I want to change my taskbar size dynamically not the site name or that little icon for the site. If I open 50 Opera tabs than at the top of my screen I'll see all those little icons, which lets me click on the right tab.

Re:

[bhtooefr]

Because most OSes have very poor window management, and Alt-Tab gets REALLY ANNOYING when you've got 50 windows open, 30 of them browser windows. Tabs at least give you Ctrl-Tab as an option for navigating the browser windows.

(Alternately, there is always the Mac route, where Cmd-Tab switches programs, and Cmd-` switches windows within a program.)

Re:

[milgr]

The tabs are related... they are all web pages. I have about 25 tabs open in each of 2 Firefox windows. I also have numerous other windows on each of 7 virtual screens on each of 2 physical screens. Before the days of tabs, it was challenging to find the correct window. Now, for a web page I merely look in my browser tab list.

Hmm... maybe I should create a new SELinux sandbox [livejournal.com] for Firefox for each web page I visit, and avoid tabs.

Re:

[value_added]

I have about 25 tabs open in each of 2 Firefox windows. I also have numerous other windows on each of 7 virtual screens on each of 2 physical screens.

Out of curiousity, what is it that's open in those 25 tabs?

I've never encountered a reason to open more than a handful at a time. I can't even imagine opening that many multiplexed terminals in screen, irrespective of how many jobs I was running, or how many systems I was working on.

Re:

[jamesh]

My two cents as far as tabs go, is that a window should be a window - not a collection of tabs

And what is the task bar in Windows? I used multiple windows before the days of tabs, and they just ended up being a bunch of 'tabs' in the task bar, mixed in with a whole load of things even less related. I have 30 tabs open right now in firefox, and about 35 windows. If I could find a good tabbed version of putty i'd use that and it would cut down my window count by about 12.

I have never understood why many people think they are a good idea - I think they break a heap of good UI principles.

So... having used non-tabbed and tabbed browsers, and greatly preferring tabs, I should stop using them because they "break a heap o

Re:

[phiwum]

Simple solution - don't use tabs in browsers.

I don't think this solution fixes anything. As near as I can figger, the guy that uses multiple windows (instead of tabs) is just as vulnerable to this issue as the tab user --- assuming that his top window(s) block the view of other browser windows entirely. The only real issue I see in the article is that, when your attention is diverted from a page and it is hidden from your view, its contents may be changed.

So, tabs are, as far as I can, a red herring here. It's not really about tabs at all. (Someon

Re:

[simoncpu was here]

Are you sure this post is not a scam that is intended to drive traffic to your site?

Re:A little peeved!

[mysidia]

Slashdot is about news, not driving traffic to someone's website.

And 'getting traffic' is not some kind of exchange or reward offered for submitting an article.

If a different link is editorially better, then it is expected that the editors will swap it.

Re:A little peeved!

[clickety6]

First tab-nabbing and now submission-nabbing where the link in the article changes after submission!

Re:

[roman_mir]

at least you can't accuse this story of hypocrisy and of not living up to its expectations.

Re:

[Anonymous Coward]

Regardless of which link is in the story, I still greatly benefit from you having taken the time to write the blog post and submit it to slashdot. Thank you for that.

Oh, you meant benefit to you! What do you think slashdot is? Just a way to generate eyeballs for your personal blog? Screw you for that.

Re:A little peeved!

[mcgrew]

That's a valid reason for including the link and for being disappointed that it was replaced - isn't it?

Not in my eyes it isn't, and I wish they'd do it more often -- like when the submission has ten ad-laden one-paragraph pages I wish they'd link to a single page view, whether that site or another. Of course you think your blog was better than krebsonsecurity, but personally I almost never click on any link with "blog" in the name, especially from slashdot. They've gotten a lot of (well deserved) flak in the past for linking a blog that links an original story, and I'm glad they're listening.

Be glad that they didn't rewrite the entire summary as they've done with some of my submissions.

A submission is supposed to benefit the slashdot community, not the submitter. Too often people like you make submissions just to drive traffic to their own site for the money.

Shame on you.

Re:A little peeved!

[Qzukk]

They've gotten a lot of (well deserved) flak in the past for linking a blog that links an original story, and I'm glad they're listening

They're not listening, the blog post they substituted is still just someone bloviating about the original article and proof of concept [azarask.in].

In action, it's scary in a way that just listening to some blogger yak about it doesn't get the point across, and the author points out how to use the :visited detectors and various hacks to detect if you've logged into a site or not to make it even scarier.

Re:

[satoshi1]

Because you're being a selfish prick.

Re:

[scamdetect]

Because you're being a selfish prick.

I truly value your input. Thank you.

Re:

[Anonymous Coward]

I agree it was transparently disrespectful of CmdrTaco to approve your submission, but with someone elses link. However:

1. The linked article predates your linked blog according to the submission timestamps on each blog
2. The linked article contains further links to relevant information, including a link to the original subject's website and a proof-of-concept site.

I understand the euphoric feeling you got when your submission was accepted, and I also understand that sinking sensation you felt when y

Re:

[flyingfsck]

That will whoosh over the heads of 99.999% of people who never heard of Coke Tab.