Target=”_blank” — the most underestimated vulnerability ever

People using target=’_blank’ links usually have no idea about this curious fact:

The page we’re linking to gains partial access to the source page via the window.opener object.

The newly opened tab can then change the window.opener.location to some phishing page. Or execute some JavaScript on the opener-page on your behalf… Users trust the page that is already opened, they won’t get suspicious.

Image for post
Image for post

Example attack: create a fake “viral” page with cute cat pictures, jokes or whatever, get it shared on Facebook (which is known for opening links via _blank) and every time someone clicks the link — execute this

window.opener.location = ‘https://fakewebsite/facebook.com/PHISHING-PAGE.html';

…redirecting to a page that asks the user to re-enter her Facebook password.

How to fix

rel="noopener"

Update: FF does not support “noopener” so add this.

rel="noopener noreferrer"

Remember, that every time you open a new window via window.open(); you’re also “vulnerable” to this, so always reset the “opener” property

var newWnd = window.open();
newWnd.opener = null;

PS. Interestingly, Google doesn’t seem to care.

Originally published on Founder’s blog

Written by

Alexander Yumashev — founder of https://www.jitbit.com. Hacker, father, snowboarder, bass-player.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store