May 24, 2010

Most Internet users know to watch for the telltale signs of a traditional phishing attack: An e-mail that asks you to click on a link and enter your e-mail or banking credentials at the resulting Web site. But a new phishing concept that exploits user inattention and trust in browser tabs is likely to fool even the most security-conscious Web surfers.

As Mozilla Firefox creative lead Aza Raskin describes it, the attack is as elegant as it is simple: A user has multiple tabs open, and surfs to a site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself, so that when the user switches back to that tab it appears to be the login page for a site the user normally visits.

Consider the following scenario: Bob has six or seven tabs open, and one of the sites he has open (but not the tab currently being viewed) contains a script that waits for a few minutes or hours, and then quietly changes both the content of the page and the icon and descriptor in the tab itself so that it appears to be the login page for Gmail.

In this attack, the phisher need not even change the Web address displayed in the browser’s navigation toolbar. Rather, this particular phishing attack takes advantage of user trust and inattention to detail, or what Raskin calls “the perceived immutability of tabs.” Then, as the user scans their many open tabs, the favicon and title act as a strong visual cue, and the user will most likely simply think they left a Gmail tab open.

“When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in,” Raskin explained. “After the user has enter they have entered their login information and sent it back your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.”

Raskin includes a proof-of-concept at his site, which is sort of creepy when you let it run. In fact, at least once while composing this blog post in Firefox I went to click on the tab that had my Gmail inbox open, only to discover I’d accidentally clicked on Raskin’s page, which had morphed into the fake Gmail site in the interim.

It’s important to keep in mind that this attack could be used against any site, not just Gmail. Also, Raskin includes a few suggestions about how this attack could be made far sneakier — such as taking advantage of CSS history attacks.

Of course, if you are browsing with the excellent “Noscript” add-on and this is a site you have not allowed to run javascript, the proof-of-concept won’t work until you allow javascript on the page. It did not work completely against the Safari browser on my Mac (no favicon), and the test page failed completely against Google Chrome. [Update: As several readers have correctly pointed out, this attack does in fact work against Chrome, although it doesn’t seem to change the favicon in Chrome tabs].

I’m left wondering what this new form of phishing will be called if it is ever adopted by the bad guys. Tabnabbing? Tabgrabbing? See if you can coin a better phrase in the comments below.

Update, May 25, 7:55 p.m. ET: Researcher Aviv Raff has posted an interesting proof-of-concept of his own that shows how this attack can work against Firefox even when users have the Noscript add-on installed and in full paranoid mode. Raff crafted his page, which is a mock up of this blog post, to morph into an image of the Gmail login page, and it will reload every 20 seconds but will only change to the sample phish page if you move to another tab with your mouse, or after 10 reloads (in case you moved with the keyboard). So it will change only after 3 minutes or so, unless you move to another tab with your mouse.

“I was trying to find a way to work around the javascript need for the [proof-of-concept],” Raff said in an instant message. “First I was able to do this without knowing if the user moved to a new tab. Now I can almost be sure of that.”

Update, May 27, 11:41 p.m. ET: For Firefox users with the Noscript plugin, there is an update to the program that can block these types of tabnabbing attacks.


141 thoughts on “Devious New Phishing Tactic Targets Tabs

    1. InfoSec Pro

      Seems like a slightly different twist from Moxie’s paper, although somewhat in the same vein. I didn’t see anything in the tabnabbing paper that related to MITM, seems it could all be done client-side. Although I guess that Raskin’s work might have been suggested by the BH paper if Aza was aware of it. Scary part is that the tabnabbing attack looks like it could be kitted fairly easily, at first glance.

    2. InfoSec Pro

      btw forgot to say, very good link BenK, thanks for sharing it!

  1. xAdmin

    This is why I HATE webmail and use Outlook with SSL POP3 configured to read all mail as plain text. (Minimize any HTML tricks).

    Also, this would be rather easy to mitigate by only opening one tab or window! In fact, I take it further as listed below when it comes to any website of sensitive nature (ex. online banking):

    1. Close all browser tabs and/or windows AND any other web based programs (those that may use the browser cache or Flash Player cache)
    2. Clear browser cache and cookies (I use a batch file that does this and also deletes Flash Player cookie and cache directories)
    3. Launch browser in No Add-ons mode and a blank page
    4. Use a bookmark to bring up the login page or manually type known URL
    5. NEVER browse to any other site while logged into first site
    6. When finished, use the log off function of the website
    7. Close the browser
    8. Repeat step 2 to clear everything again

    It may seem like a pain, but it minimizes the chance of any shenanigans when using sites of sensitive nature.

    1. Jane

      Are all those steps easier than a live CD or other “dedicated PC” option?

      Now for my really dumb question: could you post the content of that batch file? I’d love to have it for myself.

      1. xAdmin

        For me, it is easier than rebooting into a Live CD as that would require planning ahead as to what secure tasks you need to complete, otherwise you’ll be booting in and out of it. I find it more practical and useful to properly secure my systems so I can use them with confidence. It all starts with being disciplined in not only setting up multiple layers of defense (defense in depth), but also in operating the computers in a way to ensure they remain clean. I’ve been doing so for 14+ years. It takes discipline, but it’s about you being in control of your systems, not anyone else! 🙂

        The batch file I use is called cleanup.bat. I store it in my central data area for easy backup and create a shortcut to it to easily launch it when needed. The commands are designed to run from any location. I use it on Windows XP. It should work on newer versions of Windows, although UAC may prompt to run it. It does NOT require administrator access as it runs only on the currently logged in user directories. Create your own batch file (ensure it ends in only bat not txt.bat, may need to disable the “Hide extentions for known file types”) and copy the contents below.

        @rem Close all open programs before running

        @rem %username% – applies to currently logged in user, can be replaced with specific profile username

        @rem Removes Adobe Flash Player cache and cookie directories
        rmdir /S /Q “C:\Documents and Settings\%username%\Application Data\Adobe\Flash Player”
        rmdir /S /Q “C:\Documents and Settings\%username%\Application Data\Macromedia”

        @rem Clears User Profile “Temp” folder files
        del /F /Q “C:\Documents and Settings\%username%\Local Settings\Temp”

        @rem Clears IE Temporary Internet Files, Cookies, History, Form Data, and Stored passwords (Applies only to IE7 and newer)
        rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

        @rem Prompts to press any key to continue (to see whether previous command finished before continuing)
        pause

        @rem Exits batch file
        exit

        1. xAdmin

          I just tried copying and pasting the contents.

          You’ll have to manually change all the copied “quote” notations as they don’t work pasted off the web.

        2. xAdmin

          Anyone know if Firefox can clear Temporary Internet Files, Cookies, History, Form Data, and Stored passwords from a command line to be used in a batch file? So far, I have been unable to find a way to do so, which has prevented me from seriously considering it as my primary browser!

          1. Rick

            Presuming you’re not on a Unix platform: why don’t you try InCtrl5 to see what’s affected when you run, then write the script yourself? Clue: FF won’t be using TIF.

          1. xAdmin

            Naive? Why? Because I don’t toe the line about using a Live CD and encourage people to use multiple layers (Defense in Depth)? Or that I don’t use Firefox as my primary browser? Or that I don’t bash Microsoft?

            14+ years of malware free computer use! Using Windows and IE none the less! Yes, I’m destructively naive! 🙂

          2. Terry Ritter

            @xAdmin:

            “Naive? Why? Because I don’t toe the line about using a Live CD”

            In a word, yes. The TabNapping vulnerability described in this article is a browsing-level issue not related to a specific operating system. However, it is only one of a wide variety of vulnerabilities, many of which are targeted at and specifically designed to infect Microsoft Windows. Not using a Live CD means booting with a vulnerable hard drive, which is the basic requirement for infection, and so massively increases the risk of online use.

            (from earlier comment) “I find it more practical and useful to properly secure my systems so I can use them with confidence.”

            I dispute that Microsoft Windows can be fully secured by any means whatsoever. Not only are new OS vulnerabilities always being found even after years of patching, but using Windows means that a tasty easy-to-write hard drive is just waiting for infection. Because Windows is “once infected, always infected” (until the OS is reinstalled), preventing such infection is one of the major goals in computer security. Using an easily-infected boot hard drive exposes the single most important defense level to whatever may happen while browsing, which is the opposite of “Defense in Depth.”

            “operating the computers in a way to ensure they remain clean. I’ve been doing so for 14+ years”

            In many cases, even a single operator error is sufficient to infect a Microsoft Windows system. Yes, people can be trained to do better, but not even an expert can be relied upon to never make a human error, and that is what is required. Moreover, since there exists no set of tools which can guarantee to find any existing infection, there is literally no way to know that you have in fact “remained clean.”

            It seems difficult to support the use of Microsoft Windows online simply for convenience, when the massively inconvenient consequences of infection are so well known.

            Currently, I recommend booting free Puppy Linux from DVD with Firefox and many security add-ons, which my non-technical wife likes and uses, which I am using now, and for which the setup is described on my site.

            1. xAdmin

              There are so many things wrong with your post, don’t want to hijack the thread with a long response. My bad, got baited with the destructively naïve post earlier. 🙂

              1. xAdmin

                Sorry, that was supposed to be directed to Terry Ritter’s post, May 26, 2010 at 12:19 pm

                1. AlphaCentauri

                  Using the WordPress comments feature as if it were a forum doesn’t work very well. It’s impossible to find the most recent posts, too.

                  1. BrianKrebs Post author

                    Actually, you can subscribe to comments on just this blog post if you like (see the manage subscriptions link).

                    Also, if more people would post replies to the person they’re replying to as opposed to just hitting the “submit comment” button, it would be easier to track conversation threads.

                    1. xAdmin

                      The reply button is no longer available at some point. Since it appeared some past replies were made to comments without a reply button, I thought it may have been done by adjusting the URL to a specific comment number. Unfortunately, it didn’t work and posted to the end of the entire comment section.

                      On further review, it may have only appeared replies were done to a post without a reply button due to how the comments are lined up. See how Terry’s comment looks like he responded to my post when it was actually to Rick. 🙂

                    2. xAdmin

                      One last try. I’m hitting the reply button to my last comment above. Let’s see if it puts in the right spot….

                    3. BrianKrebs Post author

                      Yeah, sorry about that. I’m still not sure what happened with the threading of the comments, but I think at some point there were just too many people trying to reply to a comment at the same time. Weird.

                      Well, anyway it seems to have righted itself, whatever the cause was. Thanks for your patience.

        3. Mike

          I find that very few of the people I deal with whose computers are infected actually know that they are infected. Sometimes that condition persists for months or years. So I am extremely skeptical of any claims of being “malware free”.

          1. xAdmin

            @Mike June 1, 2010 at 1:27 pm

            Count me in the few then. I am absolutely confident in what I’ve stated. My systems are locked down from here to Sunday. I’m hyper aware of exactly what’s installed on them and exactly how many processes should be running at any given time. I monitor all aspects of the system and often test them to ensure their integrity. I check the computer logs and firewall logs for anything out of the ordinary. I ensure my AV software updates its definition files at least daily. I occasionally pull the hard drive and run various tests on them, never an indication of infection. At least every six months, I wipe the hard drive and rebuild the system to start from a clean slate. I’ve NEVER had any fraudulent activity on any of my online accounts. Time has proven that if there was any infection that went undetected, it NEVER led to any type of compromise.

            Computer security is a process, not set it and forget it. My motto: “An ounce of prevention is worth a pound of cure!” 🙂

          2. Terry Ritter

            “I am extremely skeptical of any claims of being “malware free”.”

            Presumably, Microsoft could develop a LiveCD to check every Windows file on a hard drive, which then might certify a system as clean for online banking. Currently, no such tool or set of tools exists. So not finding malware does not constitute evidence that there is no malware.

            Any operating system which boots from a writable hard drive or USB flash can be infected. Infection means that a hidden bot becomes active every time the system is started (until the OS is re-installed). As a sad result, computers should not be trusted for online banking unless they boot from CD or DVD.

          3. dward

            Terry Ritter

            The live CD is an interesting idea. Problem is if you get hacked while running the clean OS the live CD doesn’t help you out at all. Because you won’t found out your toast till the next time you run the CD.

      2. Rick

        The live CD is good. The dedicated box not so. For obvious reasons. But anyway: the live CD is only good if you don’t go wandering off to other sites.

    2. Russ

      “3. Launch browser in No Add-ons mode and a blank page”

      I remember Aurora/abetterinternet/nail.exe would force IE homepage to about:blank, circa 2000 was when I was infected with it. Perhaps the best suggestion is to open the browser by clicking a bookmark you store in My Docs or desktop, bypassing the start page entirely.

      1. xAdmin

        By default, IE8 launches to a blank page when run in No Add-ons mode. My browser is normally set to launch to a blank page as well. The idea either way is to start from a blank slate, no other webpage has been loaded with its cached files and cookies to minimize HTML tricks. The No Add-ons mode ensures all Add-ons, such as Flash Player are not loaded or able to load when using a sensitive site.

    3. Ron

      As a Linux user, I access sensitive websites from separate user accounts I set up specifically for each of the sensitive sites. This keeps everything related to each site compartmentalized. While I do use NoScript, ghostery and Better Privacy with pretty much all websites, I do limit the extensions available during sensitive browsing by installing the extensions per user rather than system wide. Only the extensions I judge appropriate for the sensitive sites are installed to ehir respective accounts.

      1. xAdmin

        I do something similar within IE and across the OS as well.

        Per user in IE, I disable ALL Add-ons except those I specifically use on a regular basis. For the general n0n-admin user, only Flash Player and XML 6 stuff (not XML 3’s) are enabled. When needed, I may enable an Add-on (ex. Windows Media Player), but when done go back and disable it again. For the admin user, which is ONLY used to update/patch software or run maintenance tasks (check disk, disk defrag, etc.), all Add-ons are disabled except those required to use the Microsoft Update website.

        Also for all users, I disable the browsers “Auto Complete” functionality and for privacy, I have a list of about 100 ad sites that are blocked for cookies (IE’s Privacy tab). That list is stored in the registry and is exported for backup or use on other systems.

        For the OS, I disable any unneeded services to harden the OS and reduce its attack surface. As an example, since I don’t need File and Printer Sharing on my home network, I uninstall it via Network Connections, which removes the “Server” service from the system. Many other services (too numerous to name here) are stopped and set to “Disable” (via Computer Management). I also use a blocking hosts file to block known malicious sites and ad sites, which works at the OS level regardless of what application may access the Internet.

  2. David Chasey

    Yes, use No-Script aggressively – only run scripts you need to run – and the only java you should use is the stuff you drink.

  3. David

    The creativity and imagination of cyber-criminals constantly amazes me. The world truly is their oyster, I guess.

    TabCloaking or maybe TabJacking comes to mind.

    Love your blog, Brian.

    1. Wladimir Palant

      David, Aza Raskin is not a “cyber-criminal”, he is a user interface developer at Mozilla. He is simply pointing out a weakness in the user interface design of modern browsers – and making a sales pitch for the latest Mozilla Labs project, the account manager (which I should try out btw).

      1. David

        Yes, you are correct. That’s what I get for not paying close attention. Didn’t mean to insult anyone.

  4. Louis Leahy

    I have an invention that fixes the phishing problem for network owners to stop their users being fooled.

    1. BrianKrebs Post author

      Well, gosh, Louis, don’t leave us hanging. What’s the invention? Some kind of electric shock therapy maybe?

      🙂

  5. Aza Raskin

    Thanks for the writeup. I like your term “tabnabbing” and have added it to the blog post 🙂

  6. CyberNorris

    Umm… works in Safari on Mac. Dang!

  7. Giorgio Maone

    @Brian,
    Aza’s PoC worked just fine for me on latest Chrome, i.e. Google Chrome 6.0.408.1 (Official Build 47574) dev.

    May it be it took too long to load for you on other browsers because the big image was not cached?

    However, even if this PoC was hacked together and tested on Firefox only, it can be made fast and cross-browser with little effort.

    1. BrianKrebs Post author

      You are right, Giorgio. It must have taken waaay too long, because I waited a bit and kept checking back. Now, when I come back to my PC this a.m., I can see that it did at some point change. Odd.

      Like Safari on the Mac, it doesn’t change the favicon in the tab though, just the description.

  8. Big Geek Daddy

    RoboForm doesn’t offer to fill in password on the new page so once again the value of this useful Password Keeper is proven. Any time RoboForm doesn’t automatically offer to fill in forms it forces me to slow down and figure out what’s going on.

    1. Tobu

      The Opera wand and the Secure login Firefox extension also address this.

    2. Joe Alba

      Exactly. It looks like a domain-aware password manager will protect you from this clever tactic.

      I look forward to the day when secure password managers are available by default and almost transparent to the user. Brute forcing passwords and phishing attacks would become much less likely to succeed.

      (1Password on Mac rocks my world.)

  9. Dave

    It (probably) wouldn’t work on me due to the way I use my tabs.

    I always have my Google Reader tab on the far left, followed by various other standard tabs (such as Facebook, my employer’s website, etc.) in a particular order. The position of these tabs is as important to me as their icon and title.

    If I saw a (fake) Google tab in the wrong spot, I would simply close it rather than logging in to it.

    That said, this is a clever attack and seems likely to work on most people. It would probably even work on me for a site that didn’t occupy a standard spot in my tab layout.

    I would guess that the targets of this technique would be different from the targets of usual phishing techniques. It’s relatively unlikely that a user will leave a tab unattended and then come back to it rather than just closing their browser down, but the ones who do are probably the sort who spot normal phishing attacks a mile away. It’s going after a niche market and, from regular commerce, we know these can be very valuable.

    1. george

      I’m wondering if your assumptions are correct, because I think, if turned into malware, this trick/tactic can be made smart enough to deploy the phish if you have one or more tabs opened to one or more targeted sites AND then each phish in the same tab the original site was opened. If it just picks a random tab, it increases chances to be detected by an observant user. Anyway, it is scary and reminds me email is not the right place to keep confidential info.

      1. Dave

        I think you misunderstood how the hack works.

        It doesn’t get to pick another tab you already have open and hijack that, it simply changes itself to look like a site you use after a delay in which it hopes that you have switched to another tab so that you don’t notice the actual change. (Actually, it detects that the page has lost focus, so this is pretty much assured.)

        Later, when looking through your tabs, you pick this tab, thinking that it’s the Gmail tab by its icon and get phished.

        On the name: I kinda like the word tabnabbing, but it confuses people who only read the name and not the full description of how it works. The technique is more like a chameleon tab that waits until you aren’t looking and then imitates something else. Actually, the Mimic Octopus would be a very good mascot for this technique.

  10. PSolus

    When I tried this on IE 8, the Gmail page looked muddy, like a faxed version of a document, or a document that was a photo copy of a photo copy.

    And, it looked supsect even before I opened the real Gmail page, which made the fake one look even muddier.

    Not sure why this is.

    1. Wladimir Palant

      That’s because this Gmail page is simply a screenshot of the real one – it isn’t supposed to fool you, just exemplify the point. And it apparently gets downsized in IE8 for you. Which would be trivial to fix if somebody wanted…

  11. The Thinker

    Had to permit the site in two different Firefox extensions (NoScript, Request Policy) before the “attack” would operate. Now if only I could get my users to embrace browser security/privacy controls…

    1. BrianKrebs Post author

      @TheThinker — Can I ask why you’ve decided to use both Noscript and Request Policy? Does one do something that you believe the other does not, or are you simply trying to get double protection? I would think that would be quite a lot of allowing on sites you wanted to work properly.

      1. The Thinker

        Brian,
        I actually just loaded RequestPolicy this morning after reading an article at networkworld.com. As I indicated, I’m looking for a (more) user friendly means by which to protect my network users.

        I’ve only been running both for the past hour or so, but they are different in operability. In my opinion, NoScript seems to provide better (read: more advanced) user controls over what content is blocked and where. However, RequestPolicy ships with a predefined whitelist of common domains, the interface is cleaner and more understandable, and it seems to offer greater control over trusted and untrusted sites. Basically, it supplements the lack of content control with site control, but it may be a bit more user friendly.

        Not sure if you were looking for a review 😉

        1. Stray

          I use both as well… quick to get used to and RequestPolicy protects you against non-javascript redirections. It also kills the last few ads that make it past AdBlock abd NoScript. 🙂

      2. d

        Geeze Brian

        I use both as well. I started using Request Policy after reading your review a few months back. Maybe I thought you suggested it (sorry!) or maybe I was still using it as an evaluation. I can’t remember, but I use both No Script and Request Policy together on pc and Mac. Both of them together are a pain sometimes, but after you set up Request Policy’s whitelist, it’s pretty smooth sailing. I generally go to the same sites so it’s not much of a problem. The combination lets me see what other sites want to connect to the site I am currently viewing. I just dumped my Yahoo! account after I had to agree to a bunch of cookies and permissions. (On Mac I use LittleSnitch as well.)

        1. BrianKrebs Post author

          I wasn’t trying to be critical: I was honestly interested in the reasoning and results, as I’ve never tried using both of those addons in the same browser. Thanks for the feedback.

          1. d

            Oh, I didn’t take it as critical! My “geeze” refers to my lack of getting around to evaluate it. As usual, I read what you review, say, and evaluate. I download when appropriate, and then evaluate it at a later time. I believe Request Policy, combined with NoScript, gives a little more control over what’s allowed to connect. Yes, I realize you reviewed Request Policy “a while back,” but by the time I went to evaluate its worthiness, I realized the combination of the two didn’t seem to be hurting anything. It’s just a few more clicks to either allow or block. I also like Request Policy’s option of importing and exporting files, so I have the same permissions on several computers. But hey, its shows how much I value what you say.

      3. Dustin

        I’m coming to this a little late, but I’m using both, and I like RequestPolicy for finer-grained control. For instance, I’ll put up with Facebook scripts when I’m on Facebook, but I don’t need it integrating with other sites.

        Also, as d suggested, it’s sometimes funny (and enlightening) to see just how many different domains some sites make requests to.

  12. Sam

    So I went to Raskin’s site in a new tab and clicked on a few other tabs then back to Raskin’s site. As expected, I saw a Gmail login page. I clicked on some white space on the page and it went back to Raskin’s page. Does this behavior occur only on his page because he’s showing how the exploit works or would clicking on white space be a way to verify that I landed on a legitimate page?

    1. BrianKrebs Post author

      Hey Sam. Raskin purposefully set it up as a lame example — using just an image as opposed to an actual, interactive fake login page. He did it this way just to prove a point, and probably to keep people from getting really upset, or thinking he was trying to phish Gmail users.

      In a real attack, the phishers probably would wait until you submitted your credentials on the fake page, then submit those credentials on your behalf to the real site being spoofed, and then forward you on to an interactive session with that brand. This way, the victim would likely be none the wiser that they’d given away their credentials at a fake site. And in fact, this latter tactic has been used to great effect for several years now.

  13. matt horn

    You mentioned that “and the test page failed completely against Google Chrome”. But I just tried it in Chrome 5.0.375.55 beta and it worked.

  14. Bob

    Password managers of all kind ( extensions or bundled with the browser ) don’t get fooled by TabNapping. For instance, in Opera, you can clearly see that the LogIn button is not highlight.

    Also, the SSL certificate usually prominently visible in the address bar for sensitive sites is cruelly missing.

    1. Jane

      This POC didn’t use SSL, but I was under the impression it would be trivial for a real attacker to get their own certificate for SSL? In that case, would only the extended validation SSL sites & browsers have another indicator that there’s a problem?

      1. Ranger Six

        Jane:

        It would be possible for a tabnabbing phisherman to get a fake SSL certificate.

        However, getting one that would fool the browser into believing it’s a VALID certificate for the site it’s impersonating isn’t a trivial matter. (Possible, yes, but not trivial – I’d recommend reading the article “SSL vs. DNSSEC” from the Autumn 2009 issue of 2600 for an overview of why it’s not easy to get browsers to trust fake SSL certificates.)

  15. Maureen

    I have Raskin’s site up in Chrome on one monitor and was using a second monitor to type an email about it to my office, when Raskin’s site on the first monitor morphed in front of me after a minute or so.

    That was just creepy.

  16. Maureen

    By the way, I absolutely love your blog, Brian.

  17. Marty

    As usual, another good post Brian.

    While this is an interesting attack, it would seem that a a lot of conditions would have to be in place for this to be successful (unlike email phishing, which only takes a single click in a convincing looking email message received by a user).

    First, the user would have to open a browser tab and connect to a bad website which has this phishing script. It is possible that a good website (i.e. krebsonsecurity) was hacked to include this phishing script, but that seems less likely.

    Second, the user would have to move away from the bad website, leaving the tab open (expecting to come back at some point). While they are away, the bad website changes itself to look like some other website (i.e. Gmail login page).

    Third, when the user comes back, they would have to not notice that the original bad website is now gone, replaced by another website (i.e. Gmail) in that same open tab.

    Fourth, the user would have to forget that they didn’t actually have, in this example, been connected to the Gmail website and left that tab open, to be fooled into thinking they were automatically logged out of the Gmail website.

    Fifth, the user would need to attempt to log back into the fake Gmail page presented by the bad website, thinking they were re-logging into the real Gmail website they had forgot they previously left open.

    As I understand this phishing attempt, if the user actually had another tab open which was connected to the real Gmail website, then they would see two tabs with Gmail text, the tab connected to the real Gmail website and the tab connected to the bad website presenting the fake Gmail login page. The phishing script can’t take over another browser tab (if it could this would be a whole different problem), so it seems that it would be pretty simple to notice something was out of place even in this scenario.

    1. InfoSec Pro

      Marty, I think a lot of your assumptions are either invalid or pertain specifically to the PoC not to the generalized possibilities.
      For example:
      First assumption, I think it is highly likely that compromised sites would be used to deliver this, as they are for most everything else. Why would you assume otherwise?
      Second assumption is not how I understand it, I thought the bad site changed *other tabs* not the one in which it was opened.
      Third & fourth & fifth, as others pointed out, the script could be smart enough to select tabs matching it’s set of fakes, so it replaces a gmail (or other) tab with a fake gmail/other login, user just thinks the session timed out or glitched and needs to restart.

      Point is that this was the initial proof of concept, not the production malware kit that will evolve with experience. It’s got the potential to be really nasty, and targets sophisticated users who are more likely to have lots of tabs open at once and probably consider themselves too knowledgeable to become victims. Wrong!

      1. Marty

        @Infosec Pro
        “…I thought the bad site changed *other tabs* not the one in which it was opened.”

        I did not understand that from Aza’s blog or his PoC demo. If script running in one browser tab can change the contents of another browser tab, then we are talking about something much more serious – a critical browser design flaw and/or serious browser bug.

    2. xAdmin

      Even before tabbed browsing, it has always been good practice to open ONLY one browser window when using a website that requires credentials. Doing so completely mitigates this issue.

      Unfortunately, the advent of webmail has only re-enforced the idea of having multiple tabs/windows open, which is one of many reasons I loathe webmail!

      Then there are those who NEVER use a websites log off function and then immediately browse to other sites leaving their credentials active in the browser to potentially be exposed to other websites or at a minimum to be used to access that secure site again by someone else physically at the computer (ex. shared computers)

      To me, it is common sense that the only time it is acceptable to open multiple tabs/windows is when passively browsing sites that do not require credentials!

    3. Derban

      Marty about you comment explaining all the different circumstances that would need to be in place for this to work.

      You clearly sound like an avid computer user that has more expertise than your average user…..you have to think about this from the average pc users point of view. They would probably never notice this happening. Also, I’ve watched many college students who would have alot of tabs open (anywhere from 10-100). This attack could easily fool the average user. They would probably just think…’Oh, I got logged out. I guess I need to log back in’ and never give it any extra thought.

  18. Muggs

    Tabfoolery.

    How else could it be anything else?

  19. BrianKrebs Post author

    Aviv Raff just pointed me to his own proof of concept, which seems to indicate this attack can be made to work even against Firefox users with the Noscript add-on installed.

    http://avivraff.com/research/phish/article.php

    Raff says the only thing missing here is the “lost focus” detection, and that it reloads after 10 seconds with the phishing.

    Wladimir, Giorgio, I’d be interested in your reactions/takes on this.

    1. John Pisello

      Sorry (actually, I’m not), but Mr. Raff’s PoC does not work on my copy of FF (3.6.3, WinXP) with NoScript (ver. 1.9.9.77), because NoScript also blocks the meta redirect (I believe this is default behavior for NoScript). I *love* NoScript–definitely one of my must-have add-ons.

    2. Giorgio Maone

      Page reloading themselves with a meta-refresh are hardly a novelty (and BTW, Aviv’s “technique” obviously works on any stock browser, not just Firefox) 😉

      If you’re concerned about this, you can already turn meta-refreshes off in Firefox options, “Advanced/Accessibility/Warn me when web sites try to redirect or reload the page”.

      There’s actually something more that can be done about it in NoScript, and I’m tempted of implementing in next version: an option (enabled by default) to prevent page refreshes on tabs different than the current one (this would save some bandwidth too).

      1. timeless

        fwiw, you’ll probably find this breaks some MXR behaviors if you ‘open link in background tab’.

        I’m not sure how often, as I don’t recall which behaviors rely on redirects (they should be easier to spot these days as I’ve added an apology message blaming browsers for the need to include the message).

        It’s also possible that this might break some version of Bugzilla’s buglist.cgi.

        Probably an interesting variant on this would be to use multipart/replace (ala buglist.cgi in Mozilla/5) instead of a proper refresh. Again, blocking this would break Bugzilla (for Mozilla/5 browsers). Otoh if you properly whitelist sites that are known to use this feature, then it’s less of an issue.

        I guess that’s one of the things I love about NoScript and other RBAC systems: features are enabled only if a site is known to need them, and everywhere else they’re off.

        1. Giorgio Maone

          Would you see this as an issue even if this behavior applies only to sites which you’ve got JavaScript disabled on (considering the many ways you’ve got to dynamically disguise a page if JS is enabled, there’s no point in implementing it web-wide)?
          Of course I would add also a feature-specific address pattern whitelist too, but I’d prefer not to go through the burden of adding a maintenance UI as well…

  20. Tommy

    That Aviv Raff link has just blown my mind scary stuff first tabrustling now linkrustling!!!

  21. Dark Matter

    Well at least he’s using JQuery so it will be compatible with several browsers.

    I would not call it “tabnapping” because he’s not really hijacking the tab or the browser at all. A better name for it would be DEVIUS – short for “don’t ever visit untrusted sites.”

Comments are closed.