Tabnabbing
Encyclopedia
Tabnabbing is a computer exploit
and phishing
attack, which persuades users to submit their login
details and password
s to popular Web sites
by impersonating those sites and convincing the user that the site is genuine. The attack's name was coined in early 2010 by Aza Raskin
, a security researcher and design expert. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded.
The exploit employs scripts
to rewrite a page of average interest with an impersonation of a well-known website, when left unattended for some time. A user who returns after a while and sees the rewritten page may be induced to believe the page is legitimate and enter their login, password and other details that will be used for improper purposes. The attack can be made more likely to succeed if the script checks for well known Web sites the user has loaded in the past or in other tabs, and loads a simulation of the same sites. This attack can be done even if JavaScript
is disabled, using the "meta refresh
" meta element
, an HTML
attribute used for page redirection that causes a reload of a specified new page after a given time interval.
The NoScript
extension for Firefox defends both from the JavaScript-based and from the scriptless attack, based on meta refresh, by preventing inactive tabs from changing the location of the page.
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
and phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
attack, which persuades users to submit their login
Login
Login is the method whereby a user obtains access to a computer system.Login may also refer to:*Magazines:** LOGiN, published by Enterbrain** ;login:, published by USENIX* Login, Carmarthenshire, an hamlet in Carmarthenshire...
details and password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
s to popular Web sites
Website
A website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
by impersonating those sites and convincing the user that the site is genuine. The attack's name was coined in early 2010 by Aza Raskin
Aza Raskin
Aza Raskin is an American interface designer. He is the son of noted human-computer interface expert Jef Raskin.-Biography:...
, a security researcher and design expert. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded.
The exploit employs scripts
Scripting language
A scripting language, script language, or extension language is a programming language that allows control of one or more applications. "Scripts" are distinct from the core code of the application, as they are usually written in a different language and are often created or at least modified by the...
to rewrite a page of average interest with an impersonation of a well-known website, when left unattended for some time. A user who returns after a while and sees the rewritten page may be induced to believe the page is legitimate and enter their login, password and other details that will be used for improper purposes. The attack can be made more likely to succeed if the script checks for well known Web sites the user has loaded in the past or in other tabs, and loads a simulation of the same sites. This attack can be done even if JavaScript
JavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
is disabled, using the "meta refresh
Meta refresh
Meta refresh is a legacy method of instructing a web browser to automatically refresh the current web page or frame after a given time interval, using an HTML meta element with the http-equiv parameter set to "refresh" and a content parameter giving the time interval in seconds...
" meta element
Meta element
Meta elements are the HTML or XHTML <meta … > element used to provide structured metadata about a Web page. Multiple elements are often used on the same page: the element is the same, but its attributes are different...
, an HTML
HTML
HyperText Markup Language is the predominant markup language for web pages. HTML elements are the basic building-blocks of webpages....
attribute used for page redirection that causes a reload of a specified new page after a given time interval.
The NoScript
NoScript
NoScript is a free and open-source extension for Mozilla Firefox, SeaMonkey, and other Mozilla-based web browsers, created and actively maintained by Giorgio Maone, an Italian software developer and member of the Mozilla Security Group...
extension for Firefox defends both from the JavaScript-based and from the scriptless attack, based on meta refresh, by preventing inactive tabs from changing the location of the page.