Posted on 05/25/2010 12:19:17 PM PDT by Gomez
Traditional phishing attacks are reasonably easy to avoid, just don’t click links in suspicious e-mails (or, for the really paranoid, any e-mail). But Firefox Creative Lead Aza Raskin has found a far more devious way to launch an attack — by hijacking your unattended browser tabs.
The attack works by first detecting that the tab the page is in does not have focus. Then the attacking script can change the tab favicon and title before loading a new site, say a fake version of Gmail, in the background.
Even scarier, the attack can parse through your history to find sites you actually visit and impersonate them.
For example, using Raskin’s method an attacker can hijack your page, detect that you frequently login to Citibank’s website and impersonate that site, complete with a message about automatically ending your session and asking you to login again.
Because most of us trust our tabs to remain on the page we left them on, this is a particularly difficult attack to detect. As Raskin writes, “as the user scans their many open tabs, the favicon and title act as a strong visual cue — memory is mailable and moldable and the user will most likely simply think they left [the] tab open.”
The only clue that you’re being tricked is that the URL will be wrong.
Raskin has set up a demonstration on his blog post. Visit the page, switch to another tab and then notice that Raskin’s site will reload to look like the Gmail interface (Raskin uses an image for the demo, obviously easy to detect, but a real attack would offer a login page just like Gmail).
In my testing the attack worked in Firefox 3.6, 3.7a, Opera 10 and Safari 4. It did not work in Google Chrome on OS X when the tab was in the background, though it did work when I switched from Chrome to another application. Also, some browsers don’t change the favicon, though it’s possible that they could with a little tinkering to Raskin’s script.
So how do you stop this attack? Well, Raskin points out that Firefox’s coming Account Manager — which delegates tasks like logging in to the browser — is one possible fix, since it always looks at the URL, even if you don’t. Similar tools like 1Password would also work, provided you use them every time you login to a website.
The other fix is on the developer side, just make sure your site doesn’t load any remote scripts. Even if you trust the site your script is loading from, it’s possible that site could be compromised.
In the mean time, up your paranoia level and start paying attention to the URL bar.
I just get a network error when I try to hit that site.
What about IE8? Surely that was able to fall to this attack.
Ok, I just tested on IE8. It only 1/2 worked. The IE logo was still showing on teh page—it wasn’t replaced with the Gmail logo.
Oh and I had to run it in compatibility mode. If I did’t run it in compatability mode the video player would still be on the page overtop of the gmail prop.
self ping
I’ve never run with tabs for some reason they annoy me greatly?
The difference between MSIE and Firefox, however, is that there are extensive open source communities writing for Firefox whereas MSIE is closed and relegated to the hallowed halls of MS programming. Open source communities generally perform much more extensive exploit testing and plug their holes quicker. They may be fun to hack, but oftentimes the hackers are the same people who are patching the holes.
Think of it like the stories of corporations or the FBI/CIA hiring hackers who breached their networks in order to harden them to future attacks.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.