Tab Phishing

By | May 30, 2010

Tab PhishingNow here is a clever one.

As Mozilla Firefox creative lead Aza Raskin describes it, the attack is as elegant as it is simple: A user has multiple tabs open, and surfs to a site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself, so that when the user switches back to that tab it appears to be the login page for a site the user normally visits.

Even with NoScript plugin installed, users were still vulnerable. Fortunately, May 27th update fixes that.


About (Author Profile)

Vygantas is a former web designer whose projects are used by companies such as AMD, NVIDIA and departed Westood Studios. Being passionate about software, Vygantas began his journalism career back in 2007 when he founded Having said that, he is also an adrenaline junkie who enjoys good books, fitness activities and Forex trading.

Comments (4)

Trackback URL | Comments RSS Feed

  1. Now, this is an interesting one. I guess other browsers should be vulnerable for this also…
    Well, opera doesn’t change favicon… but maybe thats because FF code was used. From the other point of view, how to protect against something like that ??
    Detect when tab is changing favicon after some time? What if such a functionality is needed ?
    BTW. Check out demo site in your browser:

    • And it indeed works in FF. Amazing. I forgot that I’ve opened this site, and after about 30 minutes I switched back and – whoa, I did open gmail?? hmm…, oh, maybe…
      Hell, its evil indeed. Thankfully URL hasn’t changed. I wonder if its possible – set window.location, and then immediately cancel/stop loading.
      One more difference – in Opera flash movie was still visible after replacing whole content, I thought it was meant to , but no – in FF its gone also (but that might because I’m using Opera snapshots).

  2. RamaSubbu SK says:

    Wow!! Good to see that No Script claim has been downed.
    All browsers are NOT safe expect Opera :)
    Opera is the safest browser of all, because so far no hacker cared about Opera :) so I use Opera

  3. Just to put the records straight:

    1) Aza’s original attack does NOT work against even older versions of NoScript.
    2) Aviv Raff’s scriptless veriants does work-around older NoScript versions (obviously, since it doesn’t use JavaScript) but most recent NoScript versions contain specific protection against the scriptless variants as well.
    3) This attack can be made perfectly cross-browser, i.e. it can work against ANY browser where NoScript is not installed — Opera included ;)