A Mozilla researcher seems to have stumbled upon an entirely new kind of phishing exploit that involves those handy tabs we’re all becoming used to seeing in different browsers. It’s a fairly simple design, but it’s clever and some people are bound to get tapped by it. This attack plays on the method in which browsers manage and deal with tabs.

The basic concept involves a script that while running in tab number one, for example, it can change the content in tab number two. The main requirement is to have multiple tabs open at the same time which is a pretty common online practice.

The Mozilla representative, Aza Raskin, has demonstrated the tab phish, and he has conjectured that this new method is suited for specific and well-targeted attacks against customers of banks, credit card companies, or even web based email services.

An additional requirement in order to complete the exploit is for the attackers website to have been visited. Of course that site contains the script used in the tab attack exploit. When the infected site is visited, the deviant software works to identify any existing tabs that are open. Then it determines the length of time each tab has been open.

This is important because to have a successful exploit with this method requires sites that have been open for a while. Javascript is then used to change the content to resemble basically anything the attacker wishes.

Mr. Raskin has an example on his website in which the new page is actually Gmail’s login page. You can watch a video demonstration of the attack here: Video Demonstration Tab Exploit

But you can see the potential here. The attacker can make the page look like whatever he wants such as your bank’s login page, a credit card login page, or even Paypal’s login page. Of course there is a reliance on the reader’s memory of visiting that page.

But the important item of note is this attack can involve any site. Javascript must also be enabled for thsi attack to be effective.

As for Firefox, a fix has been implemented for the Noscript addon for this type of attack. But the attack apparently is successful in Google’s Chrome. The take away from this is to be vigilant when you’re browsing if you have tabs.

Share/Save/Bookmark