Skip to comments.Devious ‘Tabnapping’ Attack Hijacks Browser Tabs
Posted on 05/25/2010 12:19:17 PM PDT by Gomez
Traditional phishing attacks are reasonably easy to avoid, just dont click links in suspicious e-mails (or, for the really paranoid, any e-mail). But Firefox Creative Lead Aza Raskin has found a far more devious way to launch an attack by hijacking your unattended browser tabs.
The attack works by first detecting that the tab the page is in does not have focus. Then the attacking script can change the tab favicon and title before loading a new site, say a fake version of Gmail, in the background.
Even scarier, the attack can parse through your history to find sites you actually visit and impersonate them.
For example, using Raskins method an attacker can hijack your page, detect that you frequently login to Citibanks website and impersonate that site, complete with a message about automatically ending your session and asking you to login again.
Because most of us trust our tabs to remain on the page we left them on, this is a particularly difficult attack to detect. As Raskin writes, as the user scans their many open tabs, the favicon and title act as a strong visual cue memory is mailable and moldable and the user will most likely simply think they left [the] tab open.
The only clue that youre being tricked is that the URL will be wrong.
Raskin has set up a demonstration on his blog post. Visit the page, switch to another tab and then notice that Raskins site will reload to look like the Gmail interface (Raskin uses an image for the demo, obviously easy to detect, but a real attack would offer a login page just like Gmail).
In my testing the attack worked in Firefox 3.6, 3.7a, Opera 10 and Safari 4. It did not work in Google Chrome on OS X when the tab was in the background, though it did work when I switched from Chrome to another application. Also, some browsers dont change the favicon, though its possible that they could with a little tinkering to Raskins script.
So how do you stop this attack? Well, Raskin points out that Firefoxs coming Account Manager which delegates tasks like logging in to the browser is one possible fix, since it always looks at the URL, even if you dont. Similar tools like 1Password would also work, provided you use them every time you login to a website.
The other fix is on the developer side, just make sure your site doesnt load any remote scripts. Even if you trust the site your script is loading from, its possible that site could be compromised.
In the mean time, up your paranoia level and start paying attention to the URL bar.
Yikes. I am very heavy in the security world these days. This is pretty interesting.
This is definitely not cool. I know Firefox for version 4 is slated to have a way to hide the history, but its not been said how they will address it.
From what I’ve heard, browsers are designed for allowing access to this history. There’s even a website that can show you a number of places you’ve visited just by displaying their page. It is either through the history or through deciphering the cookies.
As I’ve said many times, “It will be amusing with the hacker scum discover that Firefox and other ‘Not Microsoft’ browsers are as fun to hack since they are as or more open than IE now.” This is a case where by trying to kill IE, they might be making it into the most secure as it has to defend the most.
Seeing more browser hijack threats and more indications that Firefox is just as vulnerable as IE.
But isn’t it the browser that is the only thing determining the color? In this case, I believe it is only the browser doing it. There’s no reason for a browser to SEND all of our history to others to simply change a color on only our screen.
I think other history-related issues are at play with this thread and not the hyperlink color thing you mention. Sorry.
Wow! That’s pretty wicked!
Thanks for the heads up!
Frack! I’m about ready to go back to Netscape 1.0, text-only ;-)
Can you post the name of that site?
Odd error found; “ memory is mailable and moldable “; probably should be ‘malleable,’ but since this doesn’t affect the story and outcome, who cares.
All in all, Firefox today, with a good set of extensions, is the most privacy-protecting browser on the market. Extensions that you must have are: NoScript, Adblock Plus, Ghostery, OptimizeGoogle. Keep your IE or Chrome for script-heavy trusted sites, but do most of your casual browsing in FF. You'd be amazed to see how many spy and ad sites it blocks.
I keep history for one day and keep cookies turned off with a few exceptions. See any problem with that?
This article references that and other sites:
Your solutions don't block scripts, and those scripts can do whatever they want to in your browser (such as execute the attack that the article describes.) Web bugs are also not affected, and they report your page visit to whoever planted the bug.
Thanks,,, java script is now off... lets see if it adversely affects my surfing..
A lot easier to just use konqueror.
I just get a network error when I try to hit that site.
What about IE8? Surely that was able to fall to this attack.
Ok, I just tested on IE8. It only 1/2 worked. The IE logo was still showing on teh page—it wasn’t replaced with the Gmail logo.
Oh and I had to run it in compatibility mode. If I did’t run it in compatability mode the video player would still be on the page overtop of the gmail prop.
I’ve never run with tabs for some reason they annoy me greatly?
The difference between MSIE and Firefox, however, is that there are extensive open source communities writing for Firefox whereas MSIE is closed and relegated to the hallowed halls of MS programming. Open source communities generally perform much more extensive exploit testing and plug their holes quicker. They may be fun to hack, but oftentimes the hackers are the same people who are patching the holes.
Think of it like the stories of corporations or the FBI/CIA hiring hackers who breached their networks in order to harden them to future attacks.