Tabnapping Is a New Browser Security Threat
Credit: Darren Hester/MorgueFile
Credit: Darren Hester/MorgueFile

There is a never-ending list of ways that computer security can be compromised, and a new discovery has added yet another threat to the list: Tabnapping.

Aza Raskin, a user interface specialist for the Mozilla Firefox Web browser, has detailed a new way to infiltrate computers through browser tabs. He calls it tabnapping or tabjacking.

Tabs allow users to have several sites open at once in the same browser window, and tabbed browsing is a common feature in most browsers now. By taking advantage of users' tendency to leave tabs open, certain programs can redirect sites to malicious sites without the user even knowing it.

"The time that wary people are most wary is exactly when they first navigate to a site. What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking. That’ll catch us by surprise," Raskin said.

Traditionally, phishing attacks were used when users mistakenly went to a malicious site where viruses could be downloaded to the computer or important information stolen. With tabnapping, users go to legitimate Web sites in a browser tab, but when the user leaves the tab open and clicks over to another tab, the tabnapping program surreptitiously redirects the tab to a malicious site that looks similar.

When the user clicks back to the compromised tab, he or she will likely not know they are on a different site and may enter important information such as passwords and bank account numbers. Even if a user entered the vulnerable information before the tabnapping happened, the malicious site can tell the user that a session has timed out (a common security practice on bank websites) so that the user must reenter their information.

Raskin has included an example on the very page where he documents the vulnerability. If you go to the page, leave it open and click away, you'll find that it looks like a Gmail login page when you click back to it. If you had gone to Gmail and logged in before this happened, you may have simply thought you were unexpectedly logged out and enter your information again, but this time into a phishing site.

Raskin says this attack is viable on most major browsers, including Mozilla Firefox, Internet Explorer and Google Chrome. Because the attack relies on Javascript, using browser plug-ins such as NoScript that block JavaScript can help users avoid the problem, although researcher Avi Raff has demonstrated a similar attack that circumvents JavaScript blockers. Raskin also says the upcoming Firefox Account Manager feature will help prevent tabnapping.