Tuesday, May 25, 2010

Tabnabbing: New Tabbed Browsing Phishing Attack Exploits User Trust

Aza Raskin, Creative Lead for Firefox @ Mozilla, has outlined a new type of phishing attack that takes advantage of the way that browsers handle tabbed browsing and enables an attacker to use a script running in a tab to change the content of that tab after a period of inactivity. This "behind your back" switch could trick a user into giving up important information to a malicious site.

Some media outlets has reported this to be a "cross-tab manipulation type attack", but in reality the "malicious" tab is only changing itself after a period of inactivity....thus it *is not* changing a completely different tab. This is a very important distinction.

Users that commonly open a large number of tabs could easily lose track of where that "Gmail" tab was...and thus fall victim to this type of attack.

Moral of the Story: Watch your tabs and always check URLs

Hat-tip to Threatpost.com


Original Researcher's Blog

Video Demo of the Attack

No comments:

Post a Comment