Suspected PayPal Hackers Seek Deal To Stay Out Of Prison
2 Men Arrested After Teen Was Run Over For His iPad
Tabjacking: a new and ingenious phishing attack
That's exactly what 'tabjacking' does. Open Aza Raskin's proof of concept in a new tab. Admire the sample code. Now, change tabs, wait five seconds, and then watch in horror as his site seemingly becomes GMail.
Malicious JavaScript injection isn't a new thing -- and this particular exploit only works in Firefox (and partially in Chrome) -- but you have to admit it's pretty damn scary. It's certainly only a matter of time until workarounds are found for the other browsers -- and the implications when combined with targeting 'hacks' such as CSS history mining are petrifying.
You wouldn't have to hack the site to inject the JavaScript either: an add-on or extension would work just as well...
If you're like me, I always check the address bar before typing a sensitive password. I'm not actually sure what I'll do, now that tabjacking code is in the wild.
As Aza says, it's high time we move to browser-based authentication solutions like the Firefox Account Manager.
Comments
21
Subscribe to commentsDanMay 25th 2010 11:17AM
This only works on FF and Safari. Chrome and IE (IE is safer for once?!).
Sebastian AnthonyMay 25th 2010 11:20AM
It half-works in Chrome beta (version 5). The site changes, but the favicon stays the same. I think in Chrome 4 it doesn't work at all?
Not tried IE!
AlasdairMay 25th 2010 11:27AM
They actually refer to it as 'tabnabbing' on the source site.
Sebastian AnthonyMay 25th 2010 11:36AM
Yeah, we renamed it. Sounds more intuitive and dangerous.
Not to mention, 'nabbing' is quite a British term... and we like Americanizing stuff around these parts :P
AlasdairMay 25th 2010 12:13PM
You don't say.
FWIW I prefer tabnabbing. Too many things end with '-jacking', to the point where it sounds like everything connected to the internet is capable of being physically pleasured. Plus, it rhymes.
aMay 25th 2010 11:41AM
yep, works in chrome 4.1
aMay 25th 2010 11:43AM
just updated my browser and it works in chrome 5.0 too, although the favicon and URL stays the same, as it was in chrome 4.1
Sebastian AnthonyMay 25th 2010 12:41PM
Yea, sorry -- I mean that after I open a link, I rarely look at the URL again.
Aza's spot-on with the whole 'an already-open tab has our trust' thing.
MattMay 25th 2010 12:08PM
URL stayed the same in both FF 3.6.3 and Chrome V5.
So as long as you check the URL before you enter password info (I always do) then you are safe.
jkroederMay 25th 2010 12:40PM
Tested and works in
IE8
Opera 10.54 - Build 21868
Firefox w/ Noscript with current domain enabled
Does not seem to work in the very latest Chromium build 6.0.416.0 (48147)
- did not have javascript disabled
SpeedGunMay 25th 2010 1:03PM
I tried it (in fact I rigged it up for myself, with PHP to steal your username and password) It is ingenious and I hope it is not used too much, if it at all.
niebylski+downloadsquadMay 25th 2010 1:07PM
Doesn't work at all in Chrome Dev 6.0.408.1
jabapyth+dlsMay 25th 2010 1:41PM
Hmmm I imagine this is an argument against sites being able to change their favicon...
SimonMay 25th 2010 1:47PM
>You wouldn't have to hack the site to inject the JavaScript either: an add-on or extension would work just as well...
If you've installed an untrusted extension, you've already lost. Easier to just inject code on the real login page in that case.
Brian (PC gamer extraordinaire)May 25th 2010 2:06PM
Doesn't work with noscript
DanOMay 25th 2010 11:03PM
Srware Iron 4.0.280 is immune.
michas_piMay 26th 2010 3:22AM
I can confirm this, too. Iron is not affected by this.
RobMay 26th 2010 1:40AM
I'm with Brian,.. I'm really surprised that this isn't an advertisement for NoScript. Why not mention the rather obvious add-on?
Sebastian AnthonyMay 26th 2010 6:41AM
Because... I don't use NoScript! But thanks for mentioning it -- the comments always provide useful extra info for other readers :)
trlovejoyMay 26th 2010 3:09PM
Works in Opera too, but the URL stays the same as the original tab. Hitting refresh brings back the original tab.