Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Tabnapping Scams Around the Corner?

CmdrTaco posted more than 4 years ago | from the well-that's-not-very-nice dept.

Security 362

scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)

Sorry! There are no comments related to the filter you selected.

Get your niggers here! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32334708)

Do you need to buy a nigger for some menial tasks you have around your house or business? Come to www.niggeremporium.com and check out our selection of the finest niggers money can buy!

Jews for Nerds! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32334714)

Jews, also known as kikes, hebes, hymies, yids, gold niggers, oven magnets, hook noses, sheenies, swindlers, criminals, "firewood", and Arabs in denial are a subhuman species of reptilian extra-terrestrials and adherents to one of the world's oldest major religions, called "Judaism", otherwise known as "The Worship of Money" or "Eating Arab Babies".

Judaism was the world's first master race theory. The Jew religion teaches that Jews are the Chosen People of God and that there is a sacred mystical quality to Jew DNA. In olden times, Jew prophets would, under the command of YHWH, frequently lead the Jews on genocidal rampages against neighboring populations, and even today Jew leaders often cite Jewish religious ideals to justify their ongoing genocide of sandniggers. Judaism ironically found its mirror-image inversion in the anti-Jew Aryan racialism of the Nazis.

Despite only being 0.22% of the world's population, Jews control 99% of the world's money. Not only do the Jews control the world, but also the media, the banks, the space program, and LiveJournal's porn communities and Gay communities. All Jews possess the following features: an extremely large nose, fake boobs, curly hair that reeks of faggotry, one of those gay hats, a love of coke, a law practice, a roll of money, a small cock, or shitty taste in dental hygiene.

Jews invented both Communism and Capitalism. Karl Marx, of course, was a Jew, which was why he understood money so well, and in fact he was converted to Communism by another Jew, Moses Hess, the actual founder of Zionism, who ghost-wrote Marx's The German Ideology. Capitalism was created when Christian Europeans threw away their morals and decided to embrace Jewish practices like usury (see: John Calvin). Jews were the first group to create a sophisticated banking system, which they used to fund the Crusades in order to pit Christians and Muslims (both adhering to religions derived from and controlled by Jews) against each other to kill as many people as possible in a macabre human sacrifice to YHWH.

The Jew banking system was based on fraud and lies, so when it inevitably collapsed, the Jews just pwned as many people as possible by unleashing the Black Plague on them. Later, Jews economically controlled medieval Venice (the first modern maritime trade empire), and then crypto-Jewish merchants economically controlled the Spanish Empire, including the slave trade. Openly Jewish bankers orchestrated the Dutch Empire and founded Jew Amsterdam (later Jew York). Later the Dutch Jews moved to London because they thought it would be a better base for a global empire, and actually brought a Dutch nobleman, William III, with them, who they installed in a coup d'état (more like Jew d'état, amirite?) as new King of the British Empire. For hundreds of years, Jewish bankers controlled global trade through their bases in Jew York City and London. European colonialism was, through its history, essentially a plot whereby Jews could gain control of gold and diamond mines in poor countries and increase their stranglehold over the global economy.

Jews also enjoy slicing up baby penises for fun, some even enjoy sucking them. See below.

Jews also created Jew search engine Google, so now they can find all Jew information on Internets.

Some suggest that we should use Jews instead of dogs to sniff out large amounts of concealed cash or anything else worth smuggling at airports due to their sensitive Jew noses. Obviously, this is a horrible idea, because the pay is bad, and the dirty Kikes would probably form a union and demand moar money, thus increasing the burden on taxpayers everywhere.

Umm... (3, Insightful)

Pojut (1027544) | more than 4 years ago | (#32334724)

...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?

Re:Umm... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32334762)

Yes.

Did you really need to ask?

Re:Umm... (0, Flamebait)

Pojut (1027544) | more than 4 years ago | (#32334804)

It was a rhetorical question, clod!

Protect Those Morons ... for some reason (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32335336)

i am so goddamned tired of hearing these stories that say "oh noes, stupidity might be painful, what will we do, it's so terrible, simpwy tewwible!" if you are stupid you should not breed. if you are stupid, nature has only ever had one cure for that, a little good old Darwinism natural selection. why the fuck do we care so much about them getting ripped off and having some money taken away when we should be sterilizing them surgically?

Re:Protect Those Morons ... for some reason (0)

Anonymous Coward | more than 4 years ago | (#32335406)

... why the fuck do we care so much about them getting ripped off and having some money taken away when we should be sterilizing them surgically?

Certain 'officials' would not get elected if that was to happen. Doesn't matter which party.

Re:Umm... (5, Insightful)

mgblst (80109) | more than 4 years ago | (#32334792)

What if they have it in another tab already? Then it would work.

And if you use this for gmail, or facebook, tabs that people always have opened, it is going to get results.

This is actually incredibly brilliant. I am going to pay more attention to my tabs from now on.

Re:Umm... (1)

PopeRatzo (965947) | more than 4 years ago | (#32335150)

As long as they leave my Quick Launch bar alone.

Re:Umm... (1)

morgan_greywolf (835522) | more than 4 years ago | (#32335348)

As long as they leave my Quick Launch bar alone

The Quick Launch bar in Windows is one of the easiest things to modify programmatically. Very easy to do with a bit of VBScript code, PowerShell code, or perhaps something like a NullSoft installer.

Re:Umm... (0)

Anonymous Coward | more than 4 years ago | (#32335252)

What if they have it in another tab already? Then it would work.

And if you use this for Slashdot, or Youporn, tabs that people always have opened, it is going to get results.

This is actually incredibly brilliant. I am going to pay more attention to my tabs from now on.

Fixed for target audience.

Re:Umm... (3, Insightful)

Anonymous Coward | more than 4 years ago | (#32334830)

I think what might be more disturbing is if the application looked at what url your other tabs are and redirected those sites to phishing sites that have copied the layout.

Re:Umm... (2, Insightful)

commodore64_love (1445365) | more than 4 years ago | (#32334848)

Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen. And I would probably fall for it when, in about an hour, I go back to see it. I'd type in my name and password without realizing a thief was watching.

Not exactly. (3, Informative)

khasim (1285) | more than 4 years ago | (#32334920)

Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen.

Not exactly. From his page on this "exploit"...

You can try it out on this very website (I've only tested it in Firefox). Click away to another tab for at least five seconds. Flip to another tab. Do whatever. Then come back to this tab.

It's hard to find, isn't it? It looks exactly like Gmail. I was lazy and took a screenshot of Gmail which loads slowly. It would be better to recreate the page in HTML.

So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.

Re:Not exactly. (2, Insightful)

jandrese (485) | more than 4 years ago | (#32335104)

The idea is that these users we always hear about who never have less than 50 tabs open can't remember which tabs are which, and if you put up a Facebook login screen or something, then you'll think it's just a timed out Facebook session.

Even before tabbed browsing was popular, you could have done this with minimized or backgrounded windows too. To me the big problem is that he has to create a site that people will feel compelled to leave open while they go off and do something else. That will probably be the most difficult part.

Re:Not exactly. (1)

somersault (912633) | more than 4 years ago | (#32335236)

Except your Facebook never times out unless you log into it on another computer or you don't tick the box to stay logged in.. which I suppose some people might if they don't know how to set up multiple accounts on their computer.

To create a site that people will feel compelled to leave open while they go off and do something else.. that actually sounds incredibly easy - either a porn site or a "humourous" video amalgamation feed type thing which opens the links you click on in a new tab.

Re:Not exactly. (4, Interesting)

WrongSizeGlass (838941) | more than 4 years ago | (#32335220)

So his "exploit" is to wait until you are away from HIS tab and then alter HIS tab to look like it is a different site.

Exactly ... but if the 'fake' site checks your browser history for the specific fake login screens they have in their repertoire then they can show one that you have used recently.

Re:Umm... (1)

Pojut (1027544) | more than 4 years ago | (#32335036)

Well for example I'm logged into facebook right now. As I'm jumping from site-to-site in Tab #2, one of them could hijack the Tab #1 and make it look like a legitimate facebook login screen

Ah, but like you said, you are logged into Facebook right now. Would you not find it suspicious if when you clicked back over to it, you were greeted with a login screen?

Losing your cookies every 24 hours (1)

tepples (727027) | more than 4 years ago | (#32335086)

like you said, you are logged into Facebook right now. Would you not find it suspicious if when you clicked back over to it, you were greeted with a login screen?

A lot of web sites periodically invalidate session cookies after 24 hours. In that case, the next link you click even on the legitimate site will present a login screen.

Re:Greeted with Logins (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32335262)

No, because this is REALLY dangerous for Yahoo Mail.

I'm logged in, and it likes to revert back to login pages all the time! It even makes you login twice "to check your security". So this TabMcNab exploit is going to be really dangerous somewhere. I'm pretty sharp, but that page has cried wolf so many times I would have fallen for this if it was grade-A delivered.

Re:Umm... (3, Interesting)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32334922)

P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."

Arguably, that will be the case here. Your basic clueless noobtard will click on just about anything that looks vaguely plausible, and a lot of stuff that doesn't. This technique will be overkill for them, since straight phishing still works just fine.

Your competent power user, on the other hand, may not fall for the trivial cases(two or three tabs, "innocuous-linkfarm.typosquatter.com" changes into "evil.ath.cx/yourbankherereallyhonestly.html" in front of your eyes); but they are the ones most likely to have 10 firefox windows open, each with 20 or 30 tabs, possibly on multiple monitors. Unless you possess an inhuman ability to maintain state tables in your head, you could easily assume that "yourbank.scam.com" on browser window 5, tab 15, is the "yourbank.com" that you actually did open, on browser window 7, tab 19. That'd be totally understandable mistake, some percentage of the time, especially if you were tired, distracted, multitasking, or getting sauced enough to face a legacy refactoring project.

Again, tab-related trickery is of no particular use against SSL and cert validation, so the clueful user could detect it that way(unless combined with some attack on SSL, the browser's implementation of it, or the integrity of a trusted certificate authority); but there is no particular reason to suspect that any but the most paranoid user would detect the tab-substitution attack itself.

Re:Umm... (0)

Anonymous Coward | more than 4 years ago | (#32335166)

Wasn't it Abraham Lincoln that said that?

Re:Umm... (0)

Anonymous Coward | more than 4 years ago | (#32335264)

but there is no particular reason to suspect that any but the most paranoid user would detect the tab-substitution attack itself.

Or anyone who doesn't leave login pages open. Generally, if I have a tab open, it's because it's on a page with some actual content that I will want to go back to at a later time. If I log into something that might time me out eventually, such as my bank, then I just log in, do what I need to do, log out, and close the tab.

Also, even if I did have 10 Firefox windows open with 20 or 30 tabs in each, when it's time to log into my bank, I'm not going to flip through all 200 to 300 tabs to see if there happens to be one sitting on the bank login page, I'm just going to open a new tab and go directly to it.

I'm not saying that people won't fall for this. I'm just saying you don't have to be "the most paranoid user" to detect, or at least avoid, tab substitution.

Re:Umm... (1)

KiloByte (825081) | more than 4 years ago | (#32335278)

tab-related trickery is of no particular use against SSL and cert validation,

And how exactly SSL would help in this case? The phisher will have a legitimate cert for *.scam.com, you're not going to catch it unless you notice the URL is wrong or you run Certificate Patrol.

Re:Umm... (0)

Anonymous Coward | more than 4 years ago | (#32335308)

What kind of power user accepts a bank that uses only a username + password for the management of their money?

Re:Umm... (1)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32335322)

Depending on the market they happen to live in, any power user who wants a bank...

Re:Umm... (3, Informative)

mcgrew (92797) | more than 4 years ago | (#32335472)

P.T. Barnum, expert applied scamologist, is said to have observed that you can "fool some of the people all of the time and all of the people some of the time."

No, that was Abraham Lincoln, who said "you can fool some of the people all of the time, and all of the people some of the time, but you can't fool all of the people all of the time."

PT Barnum said "there's a sucker born every minute." And both he and Lincoln were correct.

Re:Umm... (1)

SatanicPuppy (611928) | more than 4 years ago | (#32335474)

Actually, wrt to banking transactions, I'm cautious enough due to cross-site scripting vulnerabilities that I won't open a bank session when I have any other tabs open.

Re:Umm... (1)

AlexiaDeath (1616055) | more than 4 years ago | (#32334936)

People are dumb enough to install Latest Awesome Bling MSN smileypack + FREE TROJANS, they are dumb enough to fall for this. Banks around here do recommend opening an NEW browser window for banking and closing it after done tho as a dumb user safeguard. But they also implement proper 2 factor(what you know + what you have, a smart card with pin needed to use certificates) authentication system. Legacy 1.5 factor system is severely limited(sum you can move is ridiculously small) already and will be phased out completely soon. This or better is what the world of banking should do everywhere.

Re:Umm... (1)

sglane81 (230749) | more than 4 years ago | (#32335216)

This does not prey on smart or dumb. This preys on how much information you can hold in your head at the same time. Miller's magic number 7. When you go beyond 7 things, you'll have to access different memory which is where the sleight of hand is at play.

http://en.wikipedia.org/wiki/The_Magical_Number_Seven,_Plus_or_Minus_Two [wikipedia.org]

Re:Umm... (1)

morgan_greywolf (835522) | more than 4 years ago | (#32335452)

This does not prey on smart or dumb. This preys on how much information you can hold in your head at the same time. Miller's magic number 7. When you go beyond 7 things, you'll have to access different memory which is where the sleight of hand is at play.

Which is exactly why the parent pointed out that best practice for going to your bank is still to open a new browser window with no other tabs every time and closing it as soon as you're done.

It seems dumb to me not to do so.

Re:Umm... (1)

KiloByte (825081) | more than 4 years ago | (#32335324)

The phisher will just proxy your session to the real bank. Except, when you make that transfer, oops!, it will go to a different account. All while displaying the account you wanted on your screen.

Re:Umm... (1)

Taibhsear (1286214) | more than 4 years ago | (#32335136)

...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?

Having cleaned malware from at least a dozen computers/hard drives in the last couple months alone... Yes.

Re:Umm... (1)

erroneus (253617) | more than 4 years ago | (#32335378)

Actually, in theory, they already had their bank web page up and when they weren't looking, some other code/app changes that page to a phishing page that looks like the bank's site except that it say "session timed out, please log in again." At which point, the user provides his username and password to restore his session.

Not only do I see the average Joe falling for this sort of attack, I see *ME* falling for such an attack. I use uncommon financial and insurance companies and I have never seen a phishing email come to me pretending to be one of those... well until recently anyway. I did get one from my fairly exclusive insurance company and was pretty impressed with some levels of its sophistication. I didn't fall for it, but if it appeared in one of my tabs replacing a legitimate session, I would certainly have been fooled.

Two things should be done to prevent this:

1. Browsers must be coded to prevent this sort of cross-tab manipulation.
2. All providers of sensitive information should use a key-fob type security device where the password is changed every minute or so. In this case, if the login credentials were compromised, it would quite likely be changed before anything bad could happen.

This second option should be requested by the users. With enough requests, the institutions are bound to respond eventually. Many banks do this already with larger commercial customers leaving their private individual customers more open to exploitation. It's time I got my own SecureID type device, I think.

Re:Umm... (1)

dtml-try MyNick (453562) | more than 4 years ago | (#32335400)

...so are people really dumb enough to go "oh right, my bank's webpage" without realizing they didn't bring it up themselves?

Short answer, yes! Long answer, yes!

It's not even about being stupid or being dumb but the majority of people is simply clueless. It's their computer and that's safe by definition. They can't imagine that anything they see in their browser (or other program) they started up themselves could be malicious.

They had to be taught to not click on links in their mail and you expect that very same group to know that a website can be evil too, even if it looks exactly, pixelperfect, the same as the website they usualy visit.
Not going to happen.

There are 2 kinds of people on this world, those who are stupid and/or gullible and those who take advantage of that

Nab the tab? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32334738)

This is why it's so important to check the address of the site you're about to log into.

We need death squads (1)

commodore64_love (1445365) | more than 4 years ago | (#32334782)

People who do this crap of stealing people's accounts or identities should be shot.

Re:We need death squads (3, Funny)

PhongUK (1301747) | more than 4 years ago | (#32334798)

How do we identify them?

Re:We need death squads (1)

Chrisq (894406) | more than 4 years ago | (#32334926)

People who do this crap of stealing people's accounts or identities should be shot.

How do we identify them?

Why not ask the RIAA. They identify lots of copyright infringers. What could possibly go wrong.

Re:We need death squads (1)

commodore64_love (1445365) | more than 4 years ago | (#32334810)

On second thought, since government does sometimes convict innocent people, let's avoid the death penalty. Let's make these creeps lifelong indentured servant to whomever they have harmed. I wouldn't mind having the guy who stole my credit card and purchased $4000 at Walmart serve as my maid for a summer.

Re:We need death squads (0)

Anonymous Coward | more than 4 years ago | (#32334942)

You watched that Seinfeld episode again, didn't you?

Re:We need death squads (0)

Anonymous Coward | more than 4 years ago | (#32335048)

I wouldn't mind having the guy who stole my credit card and purchased $4000 at Walmart

Hahahaha. Couldn't have happened to a more deserving person. Maybe Alex Jones will go ask the reptilians to loan you the money?

Re:We need death squads (2, Funny)

AndrewBC (1675992) | more than 4 years ago | (#32335312)

New plan: steal my own identity sloppily under the guise of your identity which I stole perfectly. Now polish my boots!

Re:We need death squads (1)

WrongSizeGlass (838941) | more than 4 years ago | (#32335404)

New plan: steal my own identity sloppily under the guise of your identity which I stole perfectly. Now polish my boots!

Now, that is just evil. Go to your room and think about what you've ... um, on the other hand, stop thinking about that stuff before you come up with an even more devilish plan.

Sneaky... (3, Interesting)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32334788)

Obviously, this won't subvert SSL certs or anything; but studies consistently demonstrate that users oscillate between "don't know" and "don't care" about those, so that isn't much comfort.

And, since pages reloading themselves, or even forwarding to a different domain and URL entirely, after a delay is fairly common(if generally annoying) in a wide variety of legitimate applications, you can't really just break the ability to do that. Sure, you could add it as an advanced option somewhere, or get it largely for free with the right NoScript settings; but there is no way you can break it by default.

You pretty much just fall back on the phishing filter, which is a lame, AV-esque "solution". This would seem to apply to all tabbed browsers, as well.

Re:Sneaky... (1)

jamesh (87723) | more than 4 years ago | (#32335364)

Obviously, this won't subvert SSL certs or anything

Are there any browser addons that alert you when you are entering a password into a non-SSL site? That would reduce this problem unless the bad guys got SSL certs or compromised websites with SSL certs, which is less common. And even then, the addon could flash something down the bottom like "entering password for yourbank.com" vs "entering password for yourbank.com.badguy.ru". You'd have to be observant but less actively so.

This is one of those stupidly smart things. (3, Informative)

Securityemo (1407943) | more than 4 years ago | (#32334796)

You see this, and think "Why didn't someone think about this before?"

Re:This is one of those stupidly smart things. (2, Interesting)

supersloshy (1273442) | more than 4 years ago | (#32335042)

You see this, and think "Why didn't someone think about this before?"

Tab Mix Plus [mozilla.org] has had locked tabs [garyr.net] for a while now. I'm not entirely sure if this fixes the issue of tabnapping, but it looks like it might.

Re:This is one of those stupidly smart things. (1)

mysidia (191772) | more than 4 years ago | (#32335202)

I'm sure NoSCRIPT will help also. Why does Firefox even allow a script to manipulate tabs other than ones it opened?

Re:This is one of those stupidly smart things. (1)

WrongSizeGlass (838941) | more than 4 years ago | (#32335332)

NoScript will help because this is done via simple javascript. The 'tab' is not manipulated - a new front-most 'div' appears that displays the fake login screen. I'm sure the same type of thing could be accomplished by changing the document.location via a timer rather than displaying a new div.

The tech behind this type of scam is not new by any means ... it's just that the concept is different.

Tabnapping (1)

DarkKnightRadick (268025) | more than 4 years ago | (#32334854)

Without having RTFA:

That sounds a lot more complicated as you'd need to hack at least one high traffic website, read the cookies stored by the browser, and then force a meta-refresh only when the user isn't looking.

Re:Tabnapping (0)

Anonymous Coward | more than 4 years ago | (#32335148)

Well you should have RTFA.

Come On (1)

tralflamadore (1525837) | more than 4 years ago | (#32334856)

He could have come up with something a little less douchey than "tabnapping". Next thing you know, everyone will be saying, "I've been tabnapped!"

Re:Come On (0)

Anonymous Coward | more than 4 years ago | (#32334972)

Boobquake has been tabnapped by a Viral Market! Quick, get out your Web 2.0 strategies!

disabling scripts on unfocused tabs? (4, Interesting)

roman_mir (125474) | more than 4 years ago | (#32334868)

Maybe it is time for the browsers to take matters more seriously and block any scripts from running in tabs that are not currently in focus.

But this can be done in separate windows too, not just in tabs. In terms of whether this is a new concept, let's just say that I have 'seen' this done 10 years ago to gain access to some chat accounts.

Re:disabling scripts on unfocused tabs? (-1, Troll)

sopssa (1498795) | more than 4 years ago | (#32334948)

Then how do you play online games or use chat features on social sites? Currently I have 4 Ultima Online tabs open and the game continues on the background, and Facebook with a few chat windows open. The participants know I'm online since the script continues to execute.

Security is great, but you really need to think about what your suggestions will do before making them.

Re:disabling scripts on unfocused tabs? (2, Insightful)

roman_mir (125474) | more than 4 years ago | (#32335110)

white listing is not an impossible concept, or is it?

Re:disabling scripts on unfocused tabs? (1)

Lunix Nutcase (1092239) | more than 4 years ago | (#32335178)

But highly inconvenient to many users so they will get mad and disable such a feature thus negating the entire purpose.

Re:disabling scripts on unfocused tabs? (1)

roman_mir (125474) | more than 4 years ago | (#32335244)

Do you think that a dialog, warning a user who is switching from one screen to another with a 'allow always/never/this time/stay on this page' in case a site is running scripts on the background and then white-listing the site if the 'allow always' button is pushed is such an outrageous concept?

Maybe then the users deserve to have their private information stolen.

This is Internet, it's not your mommy, who will love you no matter what you do (supposedly).

Re:disabling scripts on unfocused tabs? (1)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32335270)

Technologically, yes. From a human interaction perspective, not really.

Unless you want an audience of only security enthusiasts, having your browser break all sorts of common and legitimate websites by default is a no-go.

If a site is convincing enough to phish somebody, it is probably convincing enough to get them to whitelist it(unless you make whitelisting such a pain in the ass that the bottom 20% of your users can't even figure it out).

If you ship your own whitelist, you face the endless time-and-money-sucking battle of having to enumerate goodness on the internet.

If you try to piggyback on some other mechanism(say, any site with a valid SSL cert gets on the whitelist), you still break legitimate sites that don't use or need SSL and don't break malicious sites that use innocuous URLs and simply depend on the user not checking them carefully(ie. getting a reputable cert authority to give you a cert for "bankofam3rica.com" shouldn't be possible. That is an obvious phishing tool. Getting one for "blandurl.com" should be no problem, and nothing stops you from hosting a picture-perfect copy of the Bank of America login page on a blandurl.com subdomain.)

Whitelisting only really works, behaviorally, in situations where a competent and dedicated decision-making authority exercises control over the user. Unfortunately, being such an authority is either a thankless task, or an all-too-rewarding one(either in terms of censorship potential, rent-extraction potential, or both.)

Re:disabling scripts on unfocused tabs? (1)

roman_mir (125474) | more than 4 years ago | (#32335478)

Well, the point was that a site that does not look like it's trying to phish anything changes all of a sudden (possible to do with a script or with a delayed HTTP response, sort of a server push) and this innocuously looking site morphs into a phishing page.

So if the site was a legitimate one (well, how legitimate is the real Facebook, but still) and then someone hijacked it, then it would be a problem for the user because user would trust Facebook.

If the site is not something that the user is familiar to, that would be the site to block from running scripts on the background unless it's white-listed upon user switching to another tab or application. So the browser would have to detect whether there is a script running on the background of the site and ask the user to: allow always/never/this time/stay on page, and then whitelist the site if the 'allow always' option is chosen.

Of-course it's not going to prevent every single type of attack, it's just one more protection that can do pretty well if the user understands what is happening of-course.

--

Another possibility is to record what the tab/window looked like before the user left the page and then show the old page and the new one once the user returns. It's more complicated than the other proposal, it also has pitfalls, but there must be some options of dealing with this.

Re:disabling scripts on unfocused tabs? (1)

tepples (727027) | more than 4 years ago | (#32335234)

Then how do you play online games or use chat features on social sites?

They would update in one huge refresh a second after you switch back to them.

Re:disabling scripts on unfocused tabs? (0)

Anonymous Coward | more than 4 years ago | (#32335250)

but you really need to think about what your suggestions will do before making them.

"need to think"? Ahahahah! Coming from the idiot who claims Apple doesn't invest in R&D. Nice try fucktard. By the way, you really think the average Joe will have 4 tabs open to play some game and chat on same browser? The person who does that, is probably tech inclined enough to whitelist some sites.

Keep trolling sopssa, every post you make just sheds more light on your ignorance.

Idiot.

Re:disabling scripts on unfocused tabs? (1)

The MAZZTer (911996) | more than 4 years ago | (#32334974)

Except this would break AJAX applications that need to send heartbeats, such as chat applications.

Re:disabling scripts on unfocused tabs? (1)

roman_mir (125474) | more than 4 years ago | (#32335170)

white-listing of sites would fix that problem.

Re:disabling scripts on unfocused tabs? (1)

jafiwam (310805) | more than 4 years ago | (#32334980)

Maybe, as an option with a white list for sites. I say this, because Slashdot would be completely useless if there weren't options. It takes 90 seconds to load all the crap scripting in FireFox if there is more than 100 or so comments. One of the nice things about using tabs, is one window can contain whatever slow-assed crap I am trying to pull up researching some dumb error or other. Having the tab do nothing while not being viewed would remove 99% of the usefulness of tabs.

Re:disabling scripts on unfocused tabs? (1)

tokul (682258) | more than 4 years ago | (#32335050)

Maybe it is time for the browsers to take matters more seriously and block any scripts from running in tabs that are not currently in focus.

AJAX, automatic page reloads, download counters on file sharing sites

Re:disabling scripts on unfocused tabs? (1)

roman_mir (125474) | more than 4 years ago | (#32335320)

those are great, aren't they? You missed another one: a delayed HTTP response, in effect a server 'push' to the browser.

You use white listing to avoid this problem by detecting if a page is running scripts on the background and presenting the user with the obvious: "run always/never/this time/stay on page" dialog with an explanation of why this is.

If they decide not to pay attention and click on whatever, well, I actually believe in social Darwinism and in this instance it really is not likely that someone will die if their bank account is emptied (though there is a remote chance of that.)

Re:disabling scripts on unfocused tabs? (1)

jellomizer (103300) | more than 4 years ago | (#32335146)

Except for the fact that the Web Browser like it or not, is more then just a web browser it is an interface platform for applications. You can bitch and moan all you want. However the Web Apps are here and they are going to stay for a long time. Every time you try to block a security issue you close an other door for honest development. So the easy fix of saying you can cross script to other tabs or windows sounds like an easy fix... It really isn't.

Re:disabling scripts on unfocused tabs? (1)

roman_mir (125474) | more than 4 years ago | (#32335210)

I don't know who is bitching or moaning, but the suggestion is totally reasonable when provided with a white-list, so the sites you want to run scripts on background will be able to if the browser warns the user that there are scripts on the background that await execution and that switching from the tab will stop them.

Then the proverbial: Cancel/Allow or something to that effect would add this site to a white-list.

So, no need for your dramatic epithets.

A little peeved! (1, Informative)

scamdetect (1731728) | more than 4 years ago | (#32334930)

Dear Slashdot: I submitted the above story this morning and was pleased when it was accepted for publication on your website. However, I was a little peeved to find that the link I included in the story [scam-detectives.co.uk] - was substituted in the final story with this one [krebsonsecurity.com] Obviously this substitution removes any benefit whatsoever of my having taken the time to write the blog post and submit it to slashdot in the first place. Any chance of swapping the link back?

Re:A little peeved! (1, Insightful)

simoncpu was here (1601629) | more than 4 years ago | (#32335116)

Are you sure this post is not a scam that is intended to drive traffic to your site?

Re:A little peeved! (5, Insightful)

mysidia (191772) | more than 4 years ago | (#32335284)

Slashdot is about news, not driving traffic to someone's website.

And 'getting traffic' is not some kind of exchange or reward offered for submitting an article.

If a different link is editorially better, then it is expected that the editors will swap it.

MOD PARENT DOWN (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32335176)

Quit trolling, man.

Re:MOD PARENT DOWN (0, Troll)

scamdetect (1731728) | more than 4 years ago | (#32335212)

Not trolling, just peeved that my link was ripped out yet the body of the story is identical

Re:MOD PARENT DOWN (0)

Anonymous Coward | more than 4 years ago | (#32335298)

You're trolling. This is CmdrTaco's site. Just be glad kdawson didn't get your story, or he would have put "pwned" in the title. Your link doesn't matter. Get over it.

Re:A little peeved! (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32335196)

Dear Slashdot:

I submitted the above story this morning and was pleased when it was accepted for publication on your website.

However, I was a little peeved to find that the link I included in the story [scam-detectives.co.uk] - was substituted in the final story with this one [krebsonsecurity.com]

Obviously this substitution removes any benefit whatsoever of my having taken the time to write the blog post and submit it to slashdot in the first place.

Any chance of swapping the link back?

Slashdot seems to "favor" krebsonsecurity.com for some reason, and might have some behind the scenes agreement with them to shove traffic to them artificially. Please don't operate under any assumption that the /. "editor" staff is going to be fair and objective. They have their agendas, and have certainly rewrote submissions to suit their purposes in the past.

Re:A little peeved! (5, Insightful)

clickety6 (141178) | more than 4 years ago | (#32335256)

First tab-nabbing and now submission-nabbing where the link in the article changes after submission!

Re:A little peeved! (3, Insightful)

Anonymous Coward | more than 4 years ago | (#32335424)

Regardless of which link is in the story, I still greatly benefit from you having taken the time to write the blog post and submit it to slashdot. Thank you for that.

Oh, you meant benefit to you! What do you think slashdot is? Just a way to generate eyeballs for your personal blog? Screw you for that.

Re:A little peeved! (0)

Anonymous Coward | more than 4 years ago | (#32335476)

Well in case you were wondering the name tabnapping was dubbed originally by a commenter on the post at Krebsonsecurity. The Firefox guy then updated his page based on that krebsonsecurity comment. You then wrote your post with a title along the lines "tabnapping." Sorry pal but Brian Krebs beat you to the punch, as evidenced by the title of your post.

So let me get this straight... (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#32334934)

I'm supposed to open a tab, go to a website, open a second tab, go to a compromised website which changes the content of the first tab without my interaction, and then log on to the site presented in the first tab? Don't you think that I'll notice that I'm not on the same website I was on previously?

Seriously, all of these types of attacks rely on the user having the mental capacity of a damp shoelace. Maybe letting them get bitten every so often will teach them to pay more attention to what's going on, and not blindly click away every message box or enter details into every site they're presented with.

Re:So let me get this straight... (3, Informative)

The MAZZTer (911996) | more than 4 years ago | (#32334990)

Some people keep 100s of tabs open. They could come back hours later and see a Gmail login screen and assume they opened it at some point.

Re:So let me get this straight... (1)

PatHMV (701344) | more than 4 years ago | (#32335102)

No, the attack knows what site you had open in tab 1, and replaces the page that had been in there with another page which appears to be from the SAME site. It will have all the right logos and so forth, and will says something like "Your Facebook session has timed out. Please log in again." ... with a very normal looking log-in button right below it. Except that you're not actually on Facebook in that tab anymore. In other words, RTFA. This is a potentially very sophisticated attack which could dupe even folks who are pretty careful about always entering web addresses directly to avoid phishing attempts.

No tab? (1)

smaerd (954708) | more than 4 years ago | (#32334952)

Just give me something without sugar!

Re:No tab? (1)

flyingfsck (986395) | more than 4 years ago | (#32335486)

That will whoosh over the heads of 99.999% of people who never heard of Coke Tab.

if these geniuses (1)

circletimessquare (444983) | more than 4 years ago | (#32334970)

who develop these attack vectors used half of their creativity on a legitimate purpose, they'd make 10x the money and earn it completely honestly

i mean this is a brilliant attack. so, whoever thought this up, why aren't you making millions in a respectable way? you obviously have the brains to do that

some people just have to be assholes

Re:if these geniuses (1)

ascari (1400977) | more than 4 years ago | (#32335130)

Really? I take it you've never tried starting a business? Things like "brilliant" and "brains" often have very little to do with eventual success. Just take a look around you if you need hard evidence.

Additionally, there are places on the planet (including parts of the US and Western Europe) where opportunities still are limited even for smart people. The Internet and associated scams have opened up possibilities for "geniuses" in such places. So if you ask those geniuses the classic question "If you're so smart how come you're not a millionaire?" they might just answer "Well I'm on my way with this new clever scam of mine."

So in the end novel and clever forms of malfeasance might just be the "proper" action based on a cost benefit analysis. Or they might just be assholes. Or both.

Solution... (1, Interesting)

morkus (161747) | more than 4 years ago | (#32334976)

Simple solution - don't use tabs in browsers. The first thing I do to any browser I sit in front of, is to immediately disable the use of tabs. I have never understood why many people think they are a good idea - I think they break a heap of good UI principles.

My two cents as far as tabs go, is that a window should be a window - not a collection of tabs - for the simple reason that tabs obfuscate (hide) the content within. Yes, I can see the advantages of tabs within some UIs in certain situations - for example: segmenting "general" from "advanced" preferences; stepping data through a process, or in a rich client application where data is related.

Where tabs are a bad fit for browsing is that the data viewed in web apps is often too disparate - there is no linkage between any of the tabs within a "window" - the content of what is presented within is asynchronous and disconnected - tabs in browsers never have a true relationship with each other. Sure - you might be looking at two related sites, or two pages within a site, but tabs offer nothing (UI-wise) that a window cannot do. A new window offers a single view of a chunk of information; if you need another view, why not simply use another window. A mish mash of windows filled with tabs does not improve the UI in any way.

Re:Solution... (1)

Quantumstate (1295210) | more than 4 years ago | (#32335068)

Tabs usefully group views, so I can open a window which I use for looking up some maths things, another for slashdot stories perhaps. Also current window managers aren't designed for having that many different windows open, so many applications use the tabbed approach like editors/ides.

Tabs can provide a specialized interface for web browsing such as tree style tabs which works very well, providing another level of organisation.

Re:Solution... (1)

The_mad_linguist (1019680) | more than 4 years ago | (#32335100)

Because I can avoid filling up my list of windows with dozens of instances of firefox when I'm working on a research project. If I have a bunch of tabs open, and only one window, it's far quicker to switch between open office text and back.

Re:Solution... (0)

Anonymous Coward | more than 4 years ago | (#32335122)

This isn't limited to tabs. This works with multiple browser windows as well, the only requirement is window.onblur.

Re:Solution... (1)

Iamthecheese (1264298) | more than 4 years ago | (#32335224)

It certainly does improve the UI. Tabbing covers up the Windows UI problem of not being able to tell the documents you have open if you have enough of them. It does this by using extra screen real estate.
If I open 50 Opera windows I'll see "Opera" in each button in my taskbar but unless I want to change my taskbar size dynamically not the site name or that little icon for the site. If I open 50 Opera tabs than at the top of my screen I'll see all those little icons, which lets me click on the right tab.

Re:Solution... (1)

bhtooefr (649901) | more than 4 years ago | (#32335228)

Because most OSes have very poor window management, and Alt-Tab gets REALLY ANNOYING when you've got 50 windows open, 30 of them browser windows. Tabs at least give you Ctrl-Tab as an option for navigating the browser windows.

(Alternately, there is always the Mac route, where Cmd-Tab switches programs, and Cmd-` switches windows within a program.)

Re:Solution... (1)

milgr (726027) | more than 4 years ago | (#32335314)

The tabs are related... they are all web pages. I have about 25 tabs open in each of 2 Firefox windows. I also have numerous other windows on each of 7 virtual screens on each of 2 physical screens. Before the days of tabs, it was challenging to find the correct window. Now, for a web page I merely look in my browser tab list.

Hmm... maybe I should create a new SELinux sandbox [livejournal.com] for Firefox for each web page I visit, and avoid tabs.

Noscript (3, Informative)

Wonko the Sane (25252) | more than 4 years ago | (#32334984)

This attack only works if you allow Javascript by default, instead of only whitelisting sites that you trust.

Re:Noscript (1)

0ld_d0g (923931) | more than 4 years ago | (#32335326)

Agree, but sometimes JS files are hosted off separate domains, etc, making white-listing a pain.

Can Javascript do this? (1)

Yvan256 (722131) | more than 4 years ago | (#32334992)

Can Javascript really access other tabs or windows? Shouldn't it be restricted to its own page/tab/window?

Awesome ! Thanks for the tip. (0)

Anonymous Coward | more than 4 years ago | (#32335230)

Now to get to work. Those accounts aren't just going to empty themselves now are they?

Server delayed HTTP response as a push (2, Interesting)

roman_mir (125474) | more than 4 years ago | (#32335360)

Even if the scripts are completely disabled on the page, what about a delayed HTTP response, in effect a push to the browser by a server that is done sometime after the page is loaded as a delayed response to the browser request?

It's really hard to avoid all possible scenarios on how a page can be changed from something to something else.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?