As internet continues to reach every household and business, its usage has grown enormously with millions accessing it at the same time. This expansion has resulted into creation of countless websites and applications that offer various services and content. People prefer to do multiple tasks at the same time i.e accessing multiple applications through the browser. Such a widespread growth has amplified the importance on web security in recent times. Web applications have to make sure that user data is safe and there is no vulnerability. One such vulnerability is called “Tabnabbing”.
What is Tabnabbing?
It is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular websites by impersonating those sites and convincing the user that the site is genuine. The attack’s name was coined in early 2010 by Aza Raskin, a security researcher and design expert. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded.
Consider the following scenario:
Sarah is busy finishing up her job for the week. Her job includes transfer of funds to the vendors of her company. She is running behind her schedule and is in a hurry. She is about to enter her bank credentials and clicks a link that opens a malicious website in a new tab. She gets a phone call and is distracted. The malicious website contains a script that quietly changes the content of the parent page to a fake login page. Sarah thinking that the page is genuine, enters the credentials which reaches the attacker’s server.
How does it happen?
The answer lies in the working of browsers. There are two types of browsers: Multiprocess and Multithreaded browsers.
For Multi-process browsers, three types of process are created: Browser, Renderers and Plugins. Each window/tab possesses individual renderer process that work independently.
For Multi-threaded browsers, each window/tab possesses a thread that performs the tasks required by the user. The thread is a part of a process that runs for the browser. Multiple threads share the same memory and resources of the process.
In case a window/tab is created from another, the same renderer process is allocated for both the windows/tabs. Window is an object created by the browser. The window.opener property is created whenever a secondary window is opened using the window.open method. Using this opener property, we can access the main window from the newly opened window.
Why do we need this?
This functionality was created to improve the overall experience for the user by making the windows/tabs communicate with each other.
Consider the following scenario:
While accessing your account in a website, it requires you to enter the credentials. The login page opens in a new window. On successfully validating the entered credentials, the new window can redirect the parent window to the account details and close automatically.
How to prevent it?
For all the anchor tags that includes target=“_blank”, we can use rel=“noopener” and rel=“noreferrer” (for older browsers) to set window.opener as null. Another solution would be to dynamically inject rel=“noopener noreferrer” for all anchor tags having target=“_blank”.
Disclaimer: The information published in this article is only for educational purposes. The content of this article is based on my personal learning and experience. Any misuse of information will not be responsibility of the author.
