‘Tabnapping’: The newest browser security threat
A Mozilla employee recently discovered a new method cybercriminals can use to steal people’s passwords.
The tactic, dubbed “tabnapping,” was uncovered and described in a blog post by Aza Raskin, Firefox’s creative lead. All major browsers are vulnerable to the attack, Raskin says.
The method is based on the assumption that most web browsers keep multiple browser tabs open at the same time. Hackers are actually able to change the contents of a tab that’s open in the background. Here’s how it works:
First the user must be tricked into visiting a malicious or compromised website. Then, the hackers use use JavaScript to gain control of the browser and change the contents of an open (but inactive) browser tab.
The changed page is designed to look like the legitimate log-in page of a site the user regularly visits (such as an online banking site). But when the username and password are entered, the info is sent to the hackers.
The title of the open tab is changed, too, and in some cases, so is the icon appearing next to the title.
For example: A Gmail user leaves several browser tabs open. One of them is quietly changed to a mock-up of the Gmail log-in page (along with Gmail’s normal tab heading). The user eventually looks at the open tabs, sees one for Gmail. Assuming he left an e-mail session open that expired, the user re-enters his username and password.
(Visit Raskin’s blog for a demonstration of tabnapping in action.)
The URL of the hi-jacked tab would give away the scam, but people assume their open tabs can’t morph into another site so they don’t bother to check.
The best fix: Keep browsers up to date. The attack requires the user visits a site with malicious code first, so having as secure a browser as possible will help block tabnapping attacks before they happen.
Password managers can prevent log-in credentials from being stolen, too, since they link saved passwords to the real log-in page.
… more…