Most Internet users know to watch for the telltale signs of a traditional phishing attack: An e-mail that asks you to click on a link and enter your e-mail or banking credentials at the resulting Web site. But a new phishing concept that exploits user inattention and trust in browser tabs is likely to fool even the most security-conscious Web surfers.
Consider the following scenario: Bob has six or seven tabs open, and one of the sites he has open (but not the tab currently being viewed) contains a script that waits for a few minutes or hours, and then quietly changes both the content of the page and the icon and descriptor in the tab itself so that it appears to be the login page for Gmail.
In this attack, the phisher need not even change the Web address displayed in the browser’s navigation toolbar. Rather, this particular phishing attack takes advantage of user trust and inattention to detail, or what Raskin calls “the perceived immutability of tabs.” Then, as the user scans their many open tabs, the favicon and title act as a strong visual cue, and the user will most likely simply think they left a Gmail tab open.
“When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in,” Raskin explained. “After the user has enter they have entered their login information and sent it back your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.”
Raskin includes a proof-of-concept at his site, which is sort of creepy when you let it run. In fact, at least once while composing this blog post in Firefox I went to click on the tab that had my Gmail inbox open, only to discover I’d accidentally clicked on Raskin’s page, which had morphed into the fake Gmail site in the interim.
It’s important to keep in mind that this attack could be used against any site, not just Gmail. Also, Raskin includes a few suggestions about how this attack could be made far sneakier — such as taking advantage of CSS history attacks.
Of course, if you are browsing with the excellent “Noscript” add-on and this is a site you have not allowed to run javascript, the proof-of-concept won’t work until you allow javascript on the page. It did not work completely against the Safari browser on my Mac (no favicon), and the test page failed completely against Google Chrome. [Update: As several readers have correctly pointed out, this attack does in fact work against Chrome, although it doesn't seem to change the favicon in Chrome tabs].
I’m left wondering what this new form of phishing will be called if it is ever adopted by the bad guys. Tabnabbing? Tabgrabbing? See if you can coin a better phrase in the comments below.
Update, May 25, 7:55 p.m. ET: Researcher Aviv Raff has posted an interesting proof-of-concept of his own that shows how this attack can work against Firefox even when users have the Noscript add-on installed and in full paranoid mode. Raff crafted his page, which is a mock up of this blog post, to morph into an image of the Gmail login page, and it will reload every 20 seconds but will only change to the sample phish page if you move to another tab with your mouse, or after 10 reloads (in case you moved with the keyboard). So it will change only after 3 minutes or so, unless you move to another tab with your mouse.
“I was trying to find a way to work around the javascript need for the [proof-of-concept],” Raff said in an instant message. “First I was able to do this without knowing if the user moved to a new tab. Now I can almost be sure of that.”
Update, May 27, 11:41 p.m. ET: For Firefox users with the Noscript plugin, there is an update to the program that can block these types of tabnabbing attacks.
Tags: Aza Raskin, javascript, mozilla firefox, tabnapping
Kinda just like the paper/presoby Moxie Marlinspike from BH09 but less advanced (no ssl stripping) but the same idea with the perception of the user. In his attack they throw in the favico trick to visually engineer pages.
http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
Well-loved. Like or Dislike:
10 
1
Seems like a slightly different twist from Moxie’s paper, although somewhat in the same vein. I didn’t see anything in the tabnabbing paper that related to MITM, seems it could all be done client-side. Although I guess that Raskin’s work might have been suggested by the BH paper if Aza was aware of it. Scary part is that the tabnabbing attack looks like it could be kitted fairly easily, at first glance.
Like or Dislike:
0 
2
btw forgot to say, very good link BenK, thanks for sharing it!
Like or Dislike:
0 
1
Tabnapping!
Well-loved. Like or Dislike:
26 
6
Ah, Rick, it’s too bad you will probably never get credit for coining the phrase. Whoever submitted this story to Slashdot credits Raskin. Ah, so it goes.
http://it.slashdot.org/story/10/05/25/126201/Tabnapping-Scams-Around-the-Corner?art_pos=1&art_pos=2
Well-loved. Like or Dislike:
4 
0
in keeping with some of the other web attack names, how about cross site login forgery
Like or Dislike:
3 
1
This is why I HATE webmail and use Outlook with SSL POP3 configured to read all mail as plain text. (Minimize any HTML tricks).
Also, this would be rather easy to mitigate by only opening one tab or window! In fact, I take it further as listed below when it comes to any website of sensitive nature (ex. online banking):
1. Close all browser tabs and/or windows AND any other web based programs (those that may use the browser cache or Flash Player cache)
2. Clear browser cache and cookies (I use a batch file that does this and also deletes Flash Player cookie and cache directories)
3. Launch browser in No Add-ons mode and a blank page
4. Use a bookmark to bring up the login page or manually type known URL
5. NEVER browse to any other site while logged into first site
6. When finished, use the log off function of the website
7. Close the browser
8. Repeat step 2 to clear everything again
It may seem like a pain, but it minimizes the chance of any shenanigans when using sites of sensitive nature.
Well-loved. Like or Dislike:
17 
8
Are all those steps easier than a live CD or other “dedicated PC” option?
Now for my really dumb question: could you post the content of that batch file? I’d love to have it for myself.
Like or Dislike:
2 
1
For me, it is easier than rebooting into a Live CD as that would require planning ahead as to what secure tasks you need to complete, otherwise you’ll be booting in and out of it. I find it more practical and useful to properly secure my systems so I can use them with confidence. It all starts with being disciplined in not only setting up multiple layers of defense (defense in depth), but also in operating the computers in a way to ensure they remain clean. I’ve been doing so for 14+ years. It takes discipline, but it’s about you being in control of your systems, not anyone else!
The batch file I use is called cleanup.bat. I store it in my central data area for easy backup and create a shortcut to it to easily launch it when needed. The commands are designed to run from any location. I use it on Windows XP. It should work on newer versions of Windows, although UAC may prompt to run it. It does NOT require administrator access as it runs only on the currently logged in user directories. Create your own batch file (ensure it ends in only bat not txt.bat, may need to disable the “Hide extentions for known file types”) and copy the contents below.
@rem Close all open programs before running
@rem %username% – applies to currently logged in user, can be replaced with specific profile username
@rem Removes Adobe Flash Player cache and cookie directories
rmdir /S /Q “C:\Documents and Settings\%username%\Application Data\Adobe\Flash Player”
rmdir /S /Q “C:\Documents and Settings\%username%\Application Data\Macromedia”
@rem Clears User Profile “Temp” folder files
del /F /Q “C:\Documents and Settings\%username%\Local Settings\Temp”
@rem Clears IE Temporary Internet Files, Cookies, History, Form Data, and Stored passwords (Applies only to IE7 and newer)
rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
@rem Prompts to press any key to continue (to see whether previous command finished before continuing)
pause
@rem Exits batch file
exit
Well-loved. Like or Dislike:
8 
1
I just tried copying and pasting the contents.
You’ll have to manually change all the copied “quote” notations as they don’t work pasted off the web.
Like or Dislike:
1 
1
Anyone know if Firefox can clear Temporary Internet Files, Cookies, History, Form Data, and Stored passwords from a command line to be used in a batch file? So far, I have been unable to find a way to do so, which has prevented me from seriously considering it as my primary browser!
Like or Dislike:
1 
1
Presuming you’re not on a Unix platform: why don’t you try InCtrl5 to see what’s affected when you run, then write the script yourself? Clue: FF won’t be using TIF.
Like or Dislike:
0 
0
Destructively naïve. -1.
Like or Dislike:
2 
4
Naive? Why? Because I don’t toe the line about using a Live CD and encourage people to use multiple layers (Defense in Depth)? Or that I don’t use Firefox as my primary browser? Or that I don’t bash Microsoft?
14+ years of malware free computer use! Using Windows and IE none the less! Yes, I’m destructively naive!
Like or Dislike:
3 
1
@xAdmin:
“Naive? Why? Because I don’t toe the line about using a Live CD”
In a word, yes. The TabNapping vulnerability described in this article is a browsing-level issue not related to a specific operating system. However, it is only one of a wide variety of vulnerabilities, many of which are targeted at and specifically designed to infect Microsoft Windows. Not using a Live CD means booting with a vulnerable hard drive, which is the basic requirement for infection, and so massively increases the risk of online use.
(from earlier comment) “I find it more practical and useful to properly secure my systems so I can use them with confidence.”
I dispute that Microsoft Windows can be fully secured by any means whatsoever. Not only are new OS vulnerabilities always being found even after years of patching, but using Windows means that a tasty easy-to-write hard drive is just waiting for infection. Because Windows is “once infected, always infected” (until the OS is reinstalled), preventing such infection is one of the major goals in computer security. Using an easily-infected boot hard drive exposes the single most important defense level to whatever may happen while browsing, which is the opposite of “Defense in Depth.”
“operating the computers in a way to ensure they remain clean. I’ve been doing so for 14+ years”
In many cases, even a single operator error is sufficient to infect a Microsoft Windows system. Yes, people can be trained to do better, but not even an expert can be relied upon to never make a human error, and that is what is required. Moreover, since there exists no set of tools which can guarantee to find any existing infection, there is literally no way to know that you have in fact “remained clean.”
It seems difficult to support the use of Microsoft Windows online simply for convenience, when the massively inconvenient consequences of infection are so well known.
Currently, I recommend booting free Puppy Linux from DVD with Firefox and many security add-ons, which my non-technical wife likes and uses, which I am using now, and for which the setup is described on my site.
Like or Dislike:
1 
4
The live CD is good. The dedicated box not so. For obvious reasons. But anyway: the live CD is only good if you don’t go wandering off to other sites.
Like or Dislike:
1 
0
“3. Launch browser in No Add-ons mode and a blank page”
I remember Aurora/abetterinternet/nail.exe would force IE homepage to about:blank, circa 2000 was when I was infected with it. Perhaps the best suggestion is to open the browser by clicking a bookmark you store in My Docs or desktop, bypassing the start page entirely.
Like or Dislike:
1 
0
By default, IE8 launches to a blank page when run in No Add-ons mode. My browser is normally set to launch to a blank page as well. The idea either way is to start from a blank slate, no other webpage has been loaded with its cached files and cookies to minimize HTML tricks. The No Add-ons mode ensures all Add-ons, such as Flash Player are not loaded or able to load when using a sensitive site.
Like or Dislike:
3 
0
As a Linux user, I access sensitive websites from separate user accounts I set up specifically for each of the sensitive sites. This keeps everything related to each site compartmentalized. While I do use NoScript, ghostery and Better Privacy with pretty much all websites, I do limit the extensions available during sensitive browsing by installing the extensions per user rather than system wide. Only the extensions I judge appropriate for the sensitive sites are installed to ehir respective accounts.
Like or Dislike:
1 
1
I do something similar within IE and across the OS as well.
Per user in IE, I disable ALL Add-ons except those I specifically use on a regular basis. For the general n0n-admin user, only Flash Player and XML 6 stuff (not XML 3’s) are enabled. When needed, I may enable an Add-on (ex. Windows Media Player), but when done go back and disable it again. For the admin user, which is ONLY used to update/patch software or run maintenance tasks (check disk, disk defrag, etc.), all Add-ons are disabled except those required to use the Microsoft Update website.
Also for all users, I disable the browsers “Auto Complete” functionality and for privacy, I have a list of about 100 ad sites that are blocked for cookies (IE’s Privacy tab). That list is stored in the registry and is exported for backup or use on other systems.
For the OS, I disable any unneeded services to harden the OS and reduce its attack surface. As an example, since I don’t need File and Printer Sharing on my home network, I uninstall it via Network Connections, which removes the “Server” service from the system. Many other services (too numerous to name here) are stopped and set to “Disable” (via Computer Management). I also use a blocking hosts file to block known malicious sites and ad sites, which works at the OS level regardless of what application may access the Internet.
Like or Dislike:
2 
0
Yes, use No-Script aggressively – only run scripts you need to run – and the only java you should use is the stuff you drink.
Like or Dislike:
4 
2
The creativity and imagination of cyber-criminals constantly amazes me. The world truly is their oyster, I guess.
TabCloaking or maybe TabJacking comes to mind.
Love your blog, Brian.
Like or Dislike:
3 
1
David, Aza Raskin is not a “cyber-criminal”, he is a user interface developer at Mozilla. He is simply pointing out a weakness in the user interface design of modern browsers – and making a sales pitch for the latest Mozilla Labs project, the account manager (which I should try out btw).
Well-loved. Like or Dislike:
9 
4
Yes, you are correct. That’s what I get for not paying close attention. Didn’t mean to insult anyone.
Well-loved. Like or Dislike:
4 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
2 
12
Well, gosh, Louis, don’t leave us hanging. What’s the invention? Some kind of electric shock therapy maybe?
Well-loved. Like or Dislike:
17 
2
It’s a very elegant phish.
Tabnabbing.
Like or Dislike:
0 
2
Thanks for the writeup. I like your term “tabnabbing” and have added it to the blog post
Well-loved. Like or Dislike:
6 
1
Umm… works in Safari on Mac. Dang!
Like or Dislike:
3 
1
@Brian,
Aza’s PoC worked just fine for me on latest Chrome, i.e. Google Chrome 6.0.408.1 (Official Build 47574) dev.
May it be it took too long to load for you on other browsers because the big image was not cached?
However, even if this PoC was hacked together and tested on Firefox only, it can be made fast and cross-browser with little effort.
Well-loved. Like or Dislike:
4 
0
You are right, Giorgio. It must have taken waaay too long, because I waited a bit and kept checking back. Now, when I come back to my PC this a.m., I can see that it did at some point change. Odd.
Like Safari on the Mac, it doesn’t change the favicon in the tab though, just the description.
Like or Dislike:
0 
0
RoboForm doesn’t offer to fill in password on the new page so once again the value of this useful Password Keeper is proven. Any time RoboForm doesn’t automatically offer to fill in forms it forces me to slow down and figure out what’s going on.
Well-loved. Like or Dislike:
4 
0
The Opera wand and the Secure login Firefox extension also address this.
Like or Dislike:
0 
0
Exactly. It looks like a domain-aware password manager will protect you from this clever tactic.
I look forward to the day when secure password managers are available by default and almost transparent to the user. Brute forcing passwords and phishing attacks would become much less likely to succeed.
(1Password on Mac rocks my world.)
Like or Dislike:
0 
0
It (probably) wouldn’t work on me due to the way I use my tabs.
I always have my Google Reader tab on the far left, followed by various other standard tabs (such as Facebook, my employer’s website, etc.) in a particular order. The position of these tabs is as important to me as their icon and title.
If I saw a (fake) Google tab in the wrong spot, I would simply close it rather than logging in to it.
That said, this is a clever attack and seems likely to work on most people. It would probably even work on me for a site that didn’t occupy a standard spot in my tab layout.
I would guess that the targets of this technique would be different from the targets of usual phishing techniques. It’s relatively unlikely that a user will leave a tab unattended and then come back to it rather than just closing their browser down, but the ones who do are probably the sort who spot normal phishing attacks a mile away. It’s going after a niche market and, from regular commerce, we know these can be very valuable.
Like or Dislike:
0 
4
I’m wondering if your assumptions are correct, because I think, if turned into malware, this trick/tactic can be made smart enough to deploy the phish if you have one or more tabs opened to one or more targeted sites AND then each phish in the same tab the original site was opened. If it just picks a random tab, it increases chances to be detected by an observant user. Anyway, it is scary and reminds me email is not the right place to keep confidential info.
Like or Dislike:
2 
1
I think you misunderstood how the hack works.
It doesn’t get to pick another tab you already have open and hijack that, it simply changes itself to look like a site you use after a delay in which it hopes that you have switched to another tab so that you don’t notice the actual change. (Actually, it detects that the page has lost focus, so this is pretty much assured.)
Later, when looking through your tabs, you pick this tab, thinking that it’s the Gmail tab by its icon and get phished.
On the name: I kinda like the word tabnabbing, but it confuses people who only read the name and not the full description of how it works. The technique is more like a chameleon tab that waits until you aren’t looking and then imitates something else. Actually, the Mimic Octopus would be a very good mascot for this technique.
Like or Dislike:
1 
0
When I tried this on IE 8, the Gmail page looked muddy, like a faxed version of a document, or a document that was a photo copy of a photo copy.
And, it looked supsect even before I opened the real Gmail page, which made the fake one look even muddier.
Not sure why this is.
Like or Dislike:
0 
1
That’s because this Gmail page is simply a screenshot of the real one – it isn’t supposed to fool you, just exemplify the point. And it apparently gets downsized in IE8 for you. Which would be trivial to fix if somebody wanted…
Well-loved. Like or Dislike:
4 
0
Had to permit the site in two different Firefox extensions (NoScript, Request Policy) before the “attack” would operate. Now if only I could get my users to embrace browser security/privacy controls…
Like or Dislike:
0 
0
@TheThinker — Can I ask why you’ve decided to use both Noscript and Request Policy? Does one do something that you believe the other does not, or are you simply trying to get double protection? I would think that would be quite a lot of allowing on sites you wanted to work properly.
Like or Dislike:
0 
0
Brian,
I actually just loaded RequestPolicy this morning after reading an article at networkworld.com. As I indicated, I’m looking for a (more) user friendly means by which to protect my network users.
I’ve only been running both for the past hour or so, but they are different in operability. In my opinion, NoScript seems to provide better (read: more advanced) user controls over what content is blocked and where. However, RequestPolicy ships with a predefined whitelist of common domains, the interface is cleaner and more understandable, and it seems to offer greater control over trusted and untrusted sites. Basically, it supplements the lack of content control with site control, but it may be a bit more user friendly.
Not sure if you were looking for a review
Like or Dislike:
3 
0
I use both as well… quick to get used to and RequestPolicy protects you against non-javascript redirections. It also kills the last few ads that make it past AdBlock abd NoScript.
Like or Dislike:
3 
0
Geeze Brian
I use both as well. I started using Request Policy after reading your review a few months back. Maybe I thought you suggested it (sorry!) or maybe I was still using it as an evaluation. I can’t remember, but I use both No Script and Request Policy together on pc and Mac. Both of them together are a pain sometimes, but after you set up Request Policy’s whitelist, it’s pretty smooth sailing. I generally go to the same sites so it’s not much of a problem. The combination lets me see what other sites want to connect to the site I am currently viewing. I just dumped my Yahoo! account after I had to agree to a bunch of cookies and permissions. (On Mac I use LittleSnitch as well.)
Like or Dislike:
1 
1
I wasn’t trying to be critical: I was honestly interested in the reasoning and results, as I’ve never tried using both of those addons in the same browser. Thanks for the feedback.
Like or Dislike:
0 
0
Oh, I didn’t take it as critical! My “geeze” refers to my lack of getting around to evaluate it. As usual, I read what you review, say, and evaluate. I download when appropriate, and then evaluate it at a later time. I believe Request Policy, combined with NoScript, gives a little more control over what’s allowed to connect. Yes, I realize you reviewed Request Policy “a while back,” but by the time I went to evaluate its worthiness, I realized the combination of the two didn’t seem to be hurting anything. It’s just a few more clicks to either allow or block. I also like Request Policy’s option of importing and exporting files, so I have the same permissions on several computers. But hey, its shows how much I value what you say.
Like or Dislike:
1 
0
So I went to Raskin’s site in a new tab and clicked on a few other tabs then back to Raskin’s site. As expected, I saw a Gmail login page. I clicked on some white space on the page and it went back to Raskin’s page. Does this behavior occur only on his page because he’s showing how the exploit works or would clicking on white space be a way to verify that I landed on a legitimate page?
Like or Dislike:
0 
0
Hey Sam. Raskin purposefully set it up as a lame example — using just an image as opposed to an actual, interactive fake login page. He did it this way just to prove a point, and probably to keep people from getting really upset, or thinking he was trying to phish Gmail users.
In a real attack, the phishers probably would wait until you submitted your credentials on the fake page, then submit those credentials on your behalf to the real site being spoofed, and then forward you on to an interactive session with that brand. This way, the victim would likely be none the wiser that they’d given away their credentials at a fake site. And in fact, this latter tactic has been used to great effect for several years now.
Well-loved. Like or Dislike:
5 
0
You mentioned that “and the test page failed completely against Google Chrome”. But I just tried it in Chrome 5.0.375.55 beta and it worked.
Like or Dislike:
0 
0
Password managers of all kind ( extensions or bundled with the browser ) don’t get fooled by TabNapping. For instance, in Opera, you can clearly see that the LogIn button is not highlight.
Also, the SSL certificate usually prominently visible in the address bar for sensitive sites is cruelly missing.
Like or Dislike:
2 
1
This POC didn’t use SSL, but I was under the impression it would be trivial for a real attacker to get their own certificate for SSL? In that case, would only the extended validation SSL sites & browsers have another indicator that there’s a problem?
Like or Dislike:
0 
0
Kansas City Shuffle?
Like or Dislike:
1 
2
I have Raskin’s site up in Chrome on one monitor and was using a second monitor to type an email about it to my office, when Raskin’s site on the first monitor morphed in front of me after a minute or so.
That was just creepy.
Like or Dislike:
3 
0
By the way, I absolutely love your blog, Brian.
Like or Dislike:
3 
0
Thanks, Maureen!
Like or Dislike:
0 
0
This nice little plugin for Firefox solves that.
https://addons.mozilla.org/firefox/addon/4429
Like or Dislike:
2 
4
As usual, another good post Brian.
While this is an interesting attack, it would seem that a a lot of conditions would have to be in place for this to be successful (unlike email phishing, which only takes a single click in a convincing looking email message received by a user).
First, the user would have to open a browser tab and connect to a bad website which has this phishing script. It is possible that a good website (i.e. krebsonsecurity) was hacked to include this phishing script, but that seems less likely.
Second, the user would have to move away from the bad website, leaving the tab open (expecting to come back at some point). While they are away, the bad website changes itself to look like some other website (i.e. Gmail login page).
Third, when the user comes back, they would have to not notice that the original bad website is now gone, replaced by another website (i.e. Gmail) in that same open tab.
Fourth, the user would have to forget that they didn’t actually have, in this example, been connected to the Gmail website and left that tab open, to be fooled into thinking they were automatically logged out of the Gmail website.
Fifth, the user would need to attempt to log back into the fake Gmail page presented by the bad website, thinking they were re-logging into the real Gmail website they had forgot they previously left open.
As I understand this phishing attempt, if the user actually had another tab open which was connected to the real Gmail website, then they would see two tabs with Gmail text, the tab connected to the real Gmail website and the tab connected to the bad website presenting the fake Gmail login page. The phishing script can’t take over another browser tab (if it could this would be a whole different problem), so it seems that it would be pretty simple to notice something was out of place even in this scenario.
Like or Dislike:
2 
1
Marty, I think a lot of your assumptions are either invalid or pertain specifically to the PoC not to the generalized possibilities.
For example:
First assumption, I think it is highly likely that compromised sites would be used to deliver this, as they are for most everything else. Why would you assume otherwise?
Second assumption is not how I understand it, I thought the bad site changed *other tabs* not the one in which it was opened.
Third & fourth & fifth, as others pointed out, the script could be smart enough to select tabs matching it’s set of fakes, so it replaces a gmail (or other) tab with a fake gmail/other login, user just thinks the session timed out or glitched and needs to restart.
Point is that this was the initial proof of concept, not the production malware kit that will evolve with experience. It’s got the potential to be really nasty, and targets sophisticated users who are more likely to have lots of tabs open at once and probably consider themselves too knowledgeable to become victims. Wrong!
Like or Dislike:
2 
0
@Infosec Pro
“…I thought the bad site changed *other tabs* not the one in which it was opened.”
I did not understand that from Aza’s blog or his PoC demo. If script running in one browser tab can change the contents of another browser tab, then we are talking about something much more serious – a critical browser design flaw and/or serious browser bug.
Like or Dislike:
1 
0
Even before tabbed browsing, it has always been good practice to open ONLY one browser window when using a website that requires credentials. Doing so completely mitigates this issue.
Unfortunately, the advent of webmail has only re-enforced the idea of having multiple tabs/windows open, which is one of many reasons I loathe webmail!
Then there are those who NEVER use a websites log off function and then immediately browse to other sites leaving their credentials active in the browser to potentially be exposed to other websites or at a minimum to be used to access that secure site again by someone else physically at the computer (ex. shared computers)
To me, it is common sense that the only time it is acceptable to open multiple tabs/windows is when passively browsing sites that do not require credentials!
Like or Dislike:
3 
1
Marty about you comment explaining all the different circumstances that would need to be in place for this to work.
You clearly sound like an avid computer user that has more expertise than your average user…..you have to think about this from the average pc users point of view. They would probably never notice this happening. Also, I’ve watched many college students who would have alot of tabs open (anywhere from 10-100). This attack could easily fool the average user. They would probably just think…’Oh, I got logged out. I guess I need to log back in’ and never give it any extra thought.
Like or Dislike:
1 
1
Tabjacked
Like or Dislike:
2 
2
Tabfoolery.
How else could it be anything else?
Like or Dislike:
2 
2
Aviv Raff just pointed me to his own proof of concept, which seems to indicate this attack can be made to work even against Firefox users with the Noscript add-on installed.
http://avivraff.com/research/phish/article.php
Raff says the only thing missing here is the “lost focus” detection, and that it reloads after 10 seconds with the phishing.
Wladimir, Giorgio, I’d be interested in your reactions/takes on this.
Well-loved. Like or Dislike:
4 
0
Sorry (actually, I’m not), but Mr. Raff’s PoC does not work on my copy of FF (3.6.3, WinXP) with NoScript (ver. 1.9.9.77), because NoScript also blocks the meta redirect (I believe this is default behavior for NoScript). I *love* NoScript–definitely one of my must-have add-ons.
Like or Dislike:
2 
0
Page reloading themselves with a meta-refresh are hardly a novelty (and BTW, Aviv’s “technique” obviously works on any stock browser, not just Firefox)
If you’re concerned about this, you can already turn meta-refreshes off in Firefox options, “Advanced/Accessibility/Warn me when web sites try to redirect or reload the page”.
There’s actually something more that can be done about it in NoScript, and I’m tempted of implementing in next version: an option (enabled by default) to prevent page refreshes on tabs different than the current one (this would save some bandwidth too).
Like or Dislike:
3 
0
fwiw, you’ll probably find this breaks some MXR behaviors if you ‘open link in background tab’.
I’m not sure how often, as I don’t recall which behaviors rely on redirects (they should be easier to spot these days as I’ve added an apology message blaming browsers for the need to include the message).
It’s also possible that this might break some version of Bugzilla’s buglist.cgi.
Probably an interesting variant on this would be to use multipart/replace (ala buglist.cgi in Mozilla/5) instead of a proper refresh. Again, blocking this would break Bugzilla (for Mozilla/5 browsers). Otoh if you properly whitelist sites that are known to use this feature, then it’s less of an issue.
I guess that’s one of the things I love about NoScript and other RBAC systems: features are enabled only if a site is known to need them, and everywhere else they’re off.
Like or Dislike:
0 
0
Would you see this as an issue even if this behavior applies only to sites which you’ve got JavaScript disabled on (considering the many ways you’ve got to dynamically disguise a page if JS is enabled, there’s no point in implementing it web-wide)?
Of course I would add also a feature-specific address pattern whitelist too, but I’d prefer not to go through the burden of adding a maintenance UI as well…
Like or Dislike:
0 
0
NoScript 1.9.9.81 ( http://noscript.net/getit#direct ) should take care of Aviv’s scriptless variant as well
Like or Dislike:
0 
0
How about phake-phishing?
Like or Dislike:
0 
3
Favicon changes also on Chrome 6.0.408.1 dev
Scary stuff…
Like or Dislike:
1 
1
That Aviv Raff link has just blown my mind scary stuff first tabrustling now linkrustling!!!
Like or Dislike:
1 
2
Well at least he’s using JQuery so it will be compatible with several browsers.
I would not call it “tabnapping” because he’s not really hijacking the tab or the browser at all. A better name for it would be DEVIUS – short for “don’t ever visit untrusted sites.”
Like or Dislike:
0 
4
Tabfuscating…
Hot debate. What do you think?
5 
3
Tabfscker
Like or Dislike:
1 
3
My boyfriend sent this* to me. I haven’t time to read it immediately and when I find a time, just a login screen was in tab. I knew immediately something is wrong cause of Colourfull tabs. The tab has different color than I am used to see on google site. It would never ever came to my mind that this simple plug-in can be useful in security
.
*http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
Like or Dislike:
1 
1
suggestion for naming this type of Phishing Attack:
Tabbelganger (as in Doppelgangering of Tabs)
Like or Dislike:
1 
2
SANS has picked up the story as well:
Tabnabbing new method for phishing
http://isc.sans.org/diary.html?storyid=8854
It’s always interesting to see the comments section (of either site!), although I prefer Brian’s!
Like or Dislike:
1 
0
Very interesting attack and very well described. This is certainly one I might fall for myself if I didn’t use KeePass and always use it for launching the tab and doing credentials.
In the interest of not redefining what “nabbing” means, I’ll throw in my vote for the above mentioned “Tabfoolery” and “Tabfuscating” as well as throw in my own:
Tabmorphing (General attack class)
– or more specifically -
TabMorphishing (Morphing a tab with the intent of phishing)
Like or Dislike:
4 
1
Does it need to be multiple tabs, or can it be multiple open windows? The web-based software at the hospital where I work opens a jumble of windows and requests the same password twice in the course of accomplishing a single patient data lookup, with the menu window remaining on top of the window it opens to report the data. It’s common for the staff to be browsing the web to view medical literature websites while checking lab and xray results in one program and writing progress notes in another — lots of open windows. And in the name of security, the software logs people out after a very brief interval of inactivity (usually shorter than it would take a staff person to complete a progress note in the other window before returning to look up data on the next patient), so no one would question a log in page at all. It’s in-house software, but someone taught these people to design web pages this way — it can’t be the only institution with software like this.
So people having multiple secure windows open is not an unlikely scenario. What’s more of a stretch is how to get them to also open a compromised web page and how to anticipate what kind of log in screen they will be expecting to see when it morphs. But since you can easily purchase a list of email addresses for doctors based on the hospital where they work, if you knew what their log in screen looked like, you could send out an email purporting to be from a well-known information source like the NIH, announce some ground-breaking research that people would be sure to discuss at morning rounds, and provide a link to the compromised page that spoofed that organization’s website while morphing into that hospital’s log in page.
Tabamorphosis?
Like or Dislike:
2 
1
@BrianKerbs
Well I did try opening the below following link in a new tab of Opera 10.53 and just as suggested after a minute it changed to a screenshot of Gmail page from the actual link-
http://avivraff.com/research/phish/article.php
But the address bar wasn’t changed and missing was the SSL certificate lock symbol on the address bar as well!
BTW,I always use Private Browsing when I am always surfing the net.
So is it safe to say that Opera 10.53 latest version on Windows XP Pro isn’t affected by “Tabnapping”,correct me if I am wrong.What about without Javascript enabled?
Nice Post and Thanks for the post,much appreciated.
Well I will call it TabPhishing or TabMasking or TabSpoofing.
Like or Dislike:
0 
1
It didn’t work for me in Opera 10.53…
The page doesn’t switch, it only reloads, nothing else happens.
Like or Dislike:
0 
0
Tabjacking!
Like or Dislike:
1 
1
Aviv messed up the text encodings.
Like or Dislike:
0 
0
It appears that I owe Rick and apology.
I submitted the story to slashdot that credited Mr Raskin with the name “tabnapping”
Apologies!
Scamdetect
Like or Dislike:
1 
0
I’m glad to be aware of this evil tabjacking!
While this is a devious way to steal a couple of passwords this is not going to become main stream attack IMO.
I haven’t read any good statistics on the subject but I don’t think most people use tabs, and lets consider that work places for example usually have IE6(Citibank in Poland have windows 2000….) installed anyway so the phisher doesn’t need new exploits to get backdoor which is much more valuable than passwords.
So in order to be a victim to this sort of phishing the target needs a browser with tabs(and even today most aren’t), using tabs while logged into at least 1 exploited web page, ignoring address row, not running anything like Noscript(even if it bypass Noscript it surely lowers the success rate of the attacks).
Bottom line it is scary but Rogue AVs and Adobe exploits are still scarier and for the hackers it is still better statistically to just go for IE6 stuff.
Like or Dislike:
0 
0
er, ominously, Raskin’s getting a 403
tweeted, tx.
Like or Dislike:
0 
0
I always have (the same) three sites open for research purposes, GMAIL being one of them. Regardless of how many tabs I have open eventually, I keep these same three tabs in the left-most positions and always in the same order. I can’t recall whether I’ve seen this attack since, should the offending GMAIL tab-nab appear in any other tab that the one I’ve “assigned”, I simply close the tab and verify the GMAIL session in my GMAIL tab. The only reason that GMAIL would appear in multiple links to begin with is when I specifically open an item from my GMAIL in another tab.
Creepy attack all the same. If they can do it with GMAIL, they can do it with any site. Wouldn’t seem that difficult to harvest the sitenames to which current sessions are open. Of course, I’m no programmer.
Like or Dislike:
0 
0
I find myself wondering if this would be enough to trick browser / plugin based password programs into providing the credentials without even user intervention. I myself use lastpass.com, however I have it setup pretty strict such that I need to enter my master password each time, however there is a feature that would allow one to “autologin” to sites that the plugin detects have been logged out of. If this were the case, then when the javascript modified the page, I wonder if lastpass (or whatever) would detect the modification and try to login – even without the user on the page!?
Like or Dislike:
0 
0
It seems the issue happens on this page too.
With Firefox, it happens even with NoScript that doesn’t allow to run scripts.
By the way, I can see this page correctly formatted only with Opera. Firefox and Chrome show me a bad formatted page in the comments section.
Like or Dislike:
0 
0
It does not work with the latest version of No Script, 1.9.9.81. You have to download that version from the No Script website. Hopefully Mozilla will get it added to the Add-ons site soon.
Like or Dislike:
0 
0
There are so many things wrong with your post, don’t want to hijack the thread with a long response. My bad, got baited with the destructively naïve post earlier.
Like or Dislike:
0 
0
Sorry, that was supposed to be directed to Terry Ritter’s post, May 26, 2010 at 12:19 pm
Like or Dislike:
0 
0