Tabnapping – A new hacking technique (and how to protect yourself)

With all the progress we’re making in technology, there’s also progress on the opposite side – Hacking. Most of us, by now, would be aware of some common methods of hacking and how to stay protected from them. However, knowing about these techniques is not enough as newer and more robust techniques of hacking are constantly found. One such hacking technique is Tabnapping.

What is Tabnapping

Tabnapping (originally discovered by Aza Raskin) is a relatively newer hacking technique that takes advantage of people opening multiple tabs while browsing. I’m generally alert and cautious while using the web but I think I’d easily fall for this.

Tabnapping uses simple JavaScript to change the favicon, title and contents of the page once you switch to a new tab. This way when people look through all the tabs they think this one belongs to another site. As contents of the page has also changed, people believe they are on the right site and end up interacting with it as normal. Needless to say, if presented with a login form, they would simply attempt to login, thus giving away their credentials.

This technique does work with some assumptions (e.g. user has an account with the target site, the target site is already logged in etc) however most of them are likely to happen. Even if they don’t there are plenty of workarounds to make this technique effective enough.

How does Tabnapping work

Here’s a simple depiction of how Tabnapping works.

tabnapping_2Let us understand this better with an example.

Let’s say a hacker wants to hack a gmail account. The process would be something like the following

  1. Ensure user is logged into the target account : Certain browsers allow checking if users are logged into a certain website. Additionally the attack can be designed to ensure that the user is logged into gmail. For example the attacker could send the URL via mail to the target’s gmail ID. This way there’s a huge chance the target would still be logged into gmail while accessing the link.
  2. Load malicious webpage normally : The malicious website will load and act normally when you first visit it. The contents could be anything like a news article, a blog post or a page allowing you to download a file etc. It just needs to seem like a normal website. This behavior will go on for as long as the user is viewing the page.
  3. Change Favicon, Title and Contents when tab becomes inactive :  A script can be used to detect if the malicious page’s tab is active or no. If not, it will proceed to change the favicon, title and contents of the page so the tab now resembles a Gmail tab.
  4. User selects the malicious tab disguised as a Gmail tab : After going through other websites and contents the user might want to revisit Gmail. At such times, the favicon and title act as strong visual cues as to which tab belongs to which site. Seeing the Gmail icon and usual title the user clicks on the malicious tab. The user would now be presented with the page that is identical to the Gmail login page.
  5. User enters login credentials into the malicious form : The user is likely to believe an auto logout may have occurred due to inactivity and proceed to login. The form can then capture the login credentials and send them to the attacker’s server. Additionally the server can then redirect the user to Gmail (which was never logged out in the first place). This way the user would then see the inbox and be completely unaware that his account is hacked.

For browsers that don’t allow changing the favicon, the user can configure a redirect to the malicious page with the intended favicon, title etc. Additionally Unicode domains could make it even tougher to detect a possible attack. Unicode domains are basically domains using a different character set.  (Mostly from another language). Many characters in other scripts resemble English characters in the Latin script we use everyday. “Er” in the Cyrillic script for example resembles a “P” in the Latin Script which is used for English. This property can be used to create domain names that completely resemble the target site even though it actually is quite different.

Protecting yourself from Tabnapping

As this technique focuses more on human errors as compared to machine errors, simply installing a plugin or changing some settings or configurations won’t help. We basically need to become cautious and alert while using the web. Here’s something you can do to help stay safe from tabnapping

  1. Be extra cautious while logging into a site : When ever you face a login page, be extra cautious before entering your credentials. Check the URL, domain name, whether it is a secured connection or no, who the SSL certificate (if any) is issued to etc. Most current browsers give a good amount of hints near the address bar to signify these points. Additionally if you’re still not convinced, simply re-navigate to the right site like you would organically do.
  2. Perform critical online transactions in an isolated browser session : When it comes to really critical tasks like making an online transaction or logging into your bank’s website, it’s best to do it as a separate session with just one tab open in your browser. This will help ensure there’s total attention given to the site and task at hand.
  3. Install script blocking Add-ons if available : Most browsers have some security related add-ons like the NoScript Security Suite for Mozilla and the ScriptSafe for chrome. These add-ons allow scripts to run only on trusted websites.
  4. Change your password frequently : While this may or may not help depending on how quickly the attacker acts with the data, it certainly reduces the chances of damage caused.

Above all, stay alert all the time. Be observant about what page you really are on, what the URL is etc. Feel free to share in the comments any other ideas of staying safe online.

Related Post

Learning PHP on your own – 6 most ignored se... We all have different approaches to learning. While some prefer having a mentor, others prefer learning in institutes and then there's some who prefer...

Leave a Reply

Your email address will not be published.