Tabnabbing: A New Name for an Old Threat
There isn’t much new or exciting about tabbed web browsing, which has been more or less mainstream for the last 5 years. Likewise, the HTML standard has had the ability to refresh a page to a different URL via meta tags for much longer than that. So what do we make of Aza Raskin’s recent announcement of “tabnabbing” as a new and dangerous in-browser phishing attack? We covered the basic aspects of this threat vector in this week’s Cyber Risk Report, but let’s dive a little deeper here.
New Uses for New Interfaces
If tabbed browser interfaces are not new, and the ability to refresh pages is not either (though admittedly, Raskin’s methods are more devious than a basic meta refresh), what makes tabnabbing so interesting? The key might lie in how users have changed their habits and usage of web browsers, namely web applications. Users have shifted their computing from local applications to online ones, like webmail, online document collaboration, social bookmarking, and social networking. As a result, browser sessions are more likely to contain large numbers of open tabs, some of which are referred to regularly throughout the day, or even over several days. Multitasking users switch from tab to tab, and may have little or no recollection about the authenticity or origin of any particular page, beyond trusting the tab or page appearance.
Tabnabbing capitalizes on this page persistence by presenting another common user experience, the “session expired” login page, in place of whatever page the attacker places their tabnabbing code into. After a user opens a page that contains tabnabbing code and then either navigates away from the tab or gives the attacking script some other sign of inactivity (time delay, etc.), the page refreshes to a phishing page that mimics the login page for a site that the user should expect. The change can also include modifying the tab title and site icon, so that as the user who has navigated away from a tabnabbing tab scans the tab bar looking for their “mail” or “social networking” tab, the icon and title will lure them in.
The Root of the Problem
Aza presents this problem as a reason for adopting Mozilla’s new Account Manager feature, coming soon to Firefox. I’m not sure that scaring users into adopting a new feature because you can describe to the Internet a novel attack method is exactly the best way to promote a new feature, but I think the general value of Aza’s suggestion stands: user identity is at increasing risk of attack if it continues to be coupled to the dynamic content regions of the web browsing experience.
One option would be to use a site-specific browser, like Prism, to ensure that commonly used web apps stand on their own and aren’t part of the normal browser process. My fellow Cisco Security blogger Henry Stern suggested some third-party options for managing online passwords. Password managers from a trusted third-party strike at a low-hanging fruit that causes the problem Aza has hinted at with tabnabbing, as well as several other security problems (such as using a common password across multiple websites). When armed with a password manager, whether or not it is Mozilla’s Firefox Account Manager, the user interface decision such as “sign me in to this site” is decoupled from content that can be modified by a malicious site owner. If the user tries to issue the sign in command to a site that they do not have a password for (e.g. on a tabnabbed site where the URL differs from the apparent page content) then the result is an error, and not a disclosure of identity.
The problem is not simply one of identity, but also because of the commingling of trusted and untrusted interfaces. Browser elements that define trust, like SSL, have moved to more prominent places in recent browser versions, changing the address bar appearance or color. Web addresses themselves are displayed differently in IE, for example, which bolds the TLD and the protocol to help users understand what context they are in. Likewise, user identity could benefit from a more prominent placement in the trusted browser interface, instead of residing in the untrusted page content. Ultimately, tabnabbing and threats like it will continue to push browser developers and users to reevaluate past practices, new uses, and technical capabilities. In the end, the Internet should be safer for it.