Tuesday, May 25th, 2010

TabNabbing: Phishing By Switching Background Tab Content

Aza Raskin identifies yet another form of phishing attack. Tabnabbing is the process of replacing the entire contents of a page while it’s in a background tab. Want to see it in action? Just visit Aza’s article, switch to another tab for 5 seconds and see what happens. Nice clean demo, and as scary as it is simple.

There’s no reload because it’s possible to change favicon, title, and page contents via Javascript. Reading through the comments, the attack seems to work most consistently and potently in Firefox, with other browsers being a mixed bag based on how they handle dynamic favicons and the focus event.

The steps in detail:

  1. A user navigates to your normal looking site.
  2. You detect when the page has lost its focus and hasn’t been interacted with for a while.
  3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.
  4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
  5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

Aza also notes the attack could get a lot more potent if they (a) used the CSS history exploit to discover which sites the user has visited; (b) employed certain other techniques, like timing attacks, to determine which services a user is currently logged into.

A New Type of Phishing Attack from Aza Raskin on Vimeo.

Posted by Michael Mahemoff at 10:10 am

5 rating from 1 votes


Comments feed TrackBack URI

I have a better one for you. First, read this:


Now, instead of doing complicated CSS to mask the site, simply detect when the user is on another tab, and redirect to a unicode look-alike domain.

Checking the address bar won’t help you. As far you’re concerned, you navigated to the site yourself, because the tab is already open.

Moral of the store: Never log into any site unless it’s SSL and the certificate checks out.

Even then, you might still be screwed:


Sigh…. we need a better solution.

Comment by MaratDenenberg — May 25, 2010

That’s why I use the secure login extension for Firefox.

Would never type by hand a password into a form, so I know something is up.

Faking logins is the oldest trick in the book.

Comment by ck2 — May 25, 2010

did something similar but less malicious here — http://illtronix.com/t/js/aware/ — to test flash to javascript communication. Note title bar.

Comment by fitsum — May 25, 2010

That is pretty darn scary – I can see many people falling for this. This is why it’s even more important to use some sort of password manager (like lastpass, which is what I use).

Comment by iliad — May 25, 2010


Comment by jeromew — May 26, 2010

Just got a NoScript update that blocks “tabnabbing” by default. <3 NoScript.

Comment by jlizarraga — May 28, 2010

ven with firefox I’ve even tried it without changing tabs and it also does it – so it’s doubly dangerous.

If you select a different window on the desktop (but NOT change tabs in the browser) the script still detect this and does the page-switch.

Very intruiging. So simple as well.

It’s a concern how the less savvy are going to treat (or be treated by tabnabbing)


Comment by howtostoptabnabbing — June 13, 2010

Leave a comment

You must be logged in to post a comment.