Live Science Plus
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Delivered Daily
Daily Newsletter
Sign up for the latest discoveries, groundbreaking research and fascinating breakthroughs that impact you and the wider world direct to your inbox.
Once a week
Life's Little Mysteries
Feed your curiosity with an exclusive mystery every week, solved with science and delivered direct to your inbox before it's seen anywhere else.
Once a week
How It Works
Sign up to our free science & technology newsletter for your weekly fix of fascinating articles, quick quizzes, amazing images, and more
Delivered daily
Space.com Newsletter
Breaking space news, the latest updates on rocket launches, skywatching events and more!
Once a month
Watch This Space
Sign up to our monthly entertainment newsletter to keep up with all our coverage of the latest sci-fi and space movies, tv shows, games and books.
Once a week
Night Sky This Week
Discover this week's must-see night sky events, moon phases, and stunning astrophotos. Sign up for our skywatching newsletter and explore the universe with us!
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
There is a never-ending list of ways that computer security can be compromised, and a new discovery has added yet another threat to the list: Tabnapping.
Aza Raskin, a user interface specialist for the Mozilla Firefox Web browser, has detailed a new way to infiltrate computers through browser tabs. He calls it tabnapping or tabjacking.
Tabs allow users to have several sites open at once in the same browser window, and tabbed browsing is a common feature in most browsers now. By taking advantage of users' tendency to leave tabs open, certain programs can redirect sites to malicious sites without the user even knowing it.
"The time that wary people are most wary is exactly when they first navigate to a site. What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking. That’ll catch us by surprise," Raskin said.
Traditionally, phishing attacks were used when users mistakenly went to a malicious site where viruses could be downloaded to the computer or important information stolen. With tabnapping, users go to legitimate Web sites in a browser tab, but when the user leaves the tab open and clicks over to another tab, the tabnapping program surreptitiously redirects the tab to a malicious site that looks similar.
When the user clicks back to the compromised tab, he or she will likely not know they are on a different site and may enter important information such as passwords and bank account numbers. Even if a user entered the vulnerable information before the tabnapping happened, the malicious site can tell the user that a session has timed out (a common security practice on bank websites) so that the user must reenter their information.
Raskin has included an example on the very page where he documents the vulnerability. If you go to the page, leave it open and click away, you'll find that it looks like a Gmail login page when you click back to it. If you had gone to Gmail and logged in before this happened, you may have simply thought you were unexpectedly logged out and enter your information again, but this time into a phishing site.
Raskin says this attack is viable on most major browsers, including Mozilla Firefox, Internet Explorer and Google Chrome. Because the attack relies on Javascript, using browser plug-ins such as NoScript that block JavaScript can help users avoid the problem, although researcher Avi Raff has demonstrated a similar attack that circumvents JavaScript blockers. Raskin also says the upcoming Firefox Account Manager feature will help prevent tabnapping.
