What is Tabnapping?
With today's world offering high speed multi-core processors everyone eye for utilizing multi-tasking capabilities to its fullest with multiple browser tabs being no exception. At the time I was writing this article, I had more than nine browser tabs open and connected to various websites and I am sure that I am not unique in this. Ask me if I remember what I site I had opened in each one and the truth is no. This behavior makes me extremely vulnerable to Tabnapping attack. Many people use multiple tabs for accessing banking, Gmail, Facebook and other websites simultaneously, as it is a necessity in the world of multitasking.
The problem is that this behavior enables Tabnapping attacks. Tabnapping, from the words tab and kidnapping, use the browser’s multi tabbed environment to confuse the user and redirect any unused tab to the attacker’s phishing web page. Now, the phisher no longer has to bait unsuspecting victims via email and, more importantly, he does not have to gain the trust of their victim. Innocent users simply login to a page that they believe they have already opened.
How does it work?
Also, Raskin pointed that: Every time you include a third-party script on your page, or a Flash widget, you leave yourself wide open for an evil doer to use your site as a staging ground for this kind of attack. Tabnabbing can get really terrible when it is combined with tools like CSS history miner, which is used to detect which website the user has visited and then customizes the attack for that specific website. There are also other methods to determine if a user is currently logged into a web based service. Once the hacker knows what services a victim is currently logged in to, the attack can become even more effective.
Defending yourself from the attack
- Don’t log-in on a tab that you haven’t opened yourself: Since the tabnapping tactic relies on you trusting that you opened the tab, if you see a tab that asks for reauthetication, close it, and go back to the page in a new tab to log in.
- Look at the URL in your browser’s address bar before filing in any form or giving out any personal information: Unless the attackers are able to exploit a vulnerability or flaw to fake the URL, it will not match the bogus log-in screen.
Views by Manvi Sharma
Rate this article: