Home Code Snippets Oracle Reference Oracle Functions Oracle Error Codes Forum Oracle Jobs Oracle Blogs

A Fun New Exploit Called “Tab-napping”

Named with a nod to the word "kidnapping", Brian Krebs details a nifty new exploit that's bound to make it's way to your browser sooner or later. This new phishing exploit relies on user inattention and your trust in browser tabs, and  is likely to fool even the most security-savvy web surfers.

Mozilla Firefox creative lead Aza Raskin describes it like this:  a user has multiple tabs open and surfs to an infected site. The site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself. When the user switches back to that tab it appears to be the login page for a site the user normally visits. But it's not.

For example, you have several tabs open, and one of the sites you visit has been infected with this exploit.  After you leave that tab, the exploit does its work, switching the tab (for example) to a fake Gmail site. As you scan your open tabs, the favicon and title act as a strong visual cue, and you'll most likely simply think you left a Gmail tab open.

When you click back to the fake Gmail tab, you’ll see the standard Gmail login page, assume you’ve been logged out, and you'll provide you credentials to log in. Raskin continues, “After the user has entered their login information and sent it back your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.”

Raskin includes a proof-of-concept at his site, which is more than a little scary when you let it run. Load the page, click away to another tab for 5 seconds, and come back. You'll be looking at what what appears to be the Gmail login page.

Note that if you are using the must-have add-on “Noscript”, the proof-of-concept won’t work until you allow javascript on the page.

This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

One Trackback

  1. [...] nuovo exploit è stato battezzato “Tab-napping” ed è un cocktail micidiale i cui ingredienti sono javascript, social engineering e browser [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam Protection by WP-SpamFree