homepage Welcome to WebmasterWorld Guest from 54.204.231.253
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Local / Foo
Forum Library, Charter, Moderators: incrediBILL & lawman

Foo Forum

    
New type of phishing attack.
Browser tab napping. Pretty scary.
jecasc




msg:4138284
 9:32 am on May 25, 2010 (gmt 0)

This is a little scary, because it's so simple. I have considered myself pretty much safe from phishing attacks, but this might be the one I might fall for:

It works like this: If you have several browser tabs open, then visit a website in one tab and then switch to another tab, the website might check if it has lost the focus - then change it's contents including title tag and it's favicon.

The tab that was called "widget site" before and had the "widget site" favicon, might now be called "Gmail" or "Paypal" in the tab, display the favicon of this website in it's tab and might have replaced it's contents with the login site.

More information and a demonstration here on Aza Raskins website:

[azarask.in...]

Just open this website in a new tab, then switch to another tab and wait five seconds and see what happens.

It affects browsers differently. Most affected is Firefox. In Firefox Favicon, Title and Content is changed. In Internet Explorer it does not display a favicon at all and Opera does not display a new favicon. Chrome does not seem to be affected.

 

serutan




msg:4141274
 4:35 am on May 27, 2010 (gmt 0)

Clever. Many people wouldn't bother to look up at the address bar.

J_RaD




msg:4141921
 3:01 pm on May 27, 2010 (gmt 0)

wow that is slick, the web page is saying hey nobody is looking lets make a quick swtich.

The article does say Chrome is affected.

jecasc




msg:4141966
 3:39 pm on May 27, 2010 (gmt 0)

The article does say Chrome is affected.


Haha, seems Chrome "fixed" the issue of not being affected with an update recently.

weeks




msg:4142899
 2:16 pm on May 28, 2010 (gmt 0)

Do watch the demo video. Very clear how this is a very serious issue.

mack




msg:4143172
 7:10 pm on May 28, 2010 (gmt 0)

This is a worry. Anyone could fall into that trap

Mack.

soluml




msg:4143190
 7:39 pm on May 28, 2010 (gmt 0)

This is the first Phishing attack in a long time that has me worried. The evidence is mounting for me to give in and install Noscript on Firefox.

Bewenched




msg:4143245
 9:29 pm on May 28, 2010 (gmt 0)

Wow .. that is very slick... and very scary!

physics




msg:4143254
 9:48 pm on May 28, 2010 (gmt 0)

My strategy is still to use one browser exclusively for very secure things and never for anything else - seriously reduces the risk of things like this happening.

sgietz




msg:4143273
 10:08 pm on May 28, 2010 (gmt 0)

Many people I know keep their Gmail window open all day, so I'm guessing that will be a primary target.

This is as brilliant as it is scary!

sgietz




msg:4143276
 10:13 pm on May 28, 2010 (gmt 0)

Bring back IE 6 with no tabs :P

lucylover




msg:4143338
 1:33 am on May 29, 2010 (gmt 0)

nice ~ wonderful

tangor




msg:4143357
 2:09 am on May 29, 2010 (gmt 0)

Heads up for FF running NoScript... it has been updated to prevent this...

jkovar




msg:4143630
 5:56 pm on May 29, 2010 (gmt 0)

Firefox users need an extension that causes the address bar to flash red if the content of the page has changed between the time they moved to a new tab and when they came back to the tab.

BillyS




msg:4143769
 1:15 am on May 30, 2010 (gmt 0)

That's very cool.

Sgt_Kickaxe




msg:4143811
 6:22 am on May 30, 2010 (gmt 0)

It would be more cool if tabs not in use were locked, as if someone pressed the little red x, unless that option is turned off by choice.

tangor




msg:4143834
 7:47 am on May 30, 2010 (gmt 0)

I am 1990s folk... I have ONE tab open at any time, and the second--when I opt for it--only open long enough to see that contents. There is a drawback to too many processes in use. Looking at this from the user side. And also seeing it from the giggle (sic) side as only small processes in use at any time expanded across multiple (x) processes (not processors) to get a job done.

Meanwhile commonsense is applied: if you only have one tab open, there's no way this newly discovered event can work against the user. Regardless of browser...

Reminded of those elder daze (sic) when multitasking was first introduced. And failures and reboots and... how cool is it that what has gone before comes back around to bite us in the arse? YMMV.

thecoalman




msg:4143959
 4:07 pm on May 30, 2010 (gmt 0)

Firefox users need an extension that causes the address bar to flash red if the content of the page has changed between the time they moved to a new tab and when they came back to the tab.


They need to lock the content on the tab or something like that. A flashing tab wouldn't work on my banks site because it logs you out after x minutes of inactivity. A flashing tab would not be anything out of the ordinary.

trillianjedi




msg:4143998
 6:16 pm on May 30, 2010 (gmt 0)

Oh that's utterly brilliant :)

Mega-slick.

MatthewHSE




msg:4144338
 1:21 pm on May 31, 2010 (gmt 0)

Consistent use of a good password manager, such as LastPass, should prevent this sort of attack since they would be looking at the actual URL of the page, not the appearance.

TheWhippinpost




msg:4147021
 5:23 pm on Jun 4, 2010 (gmt 0)

Try NOT switching to another tab - it still refreshed/redirected after 5 secs (at least in Maxthon 1).

sonjay




msg:4147521
 10:49 pm on Jun 5, 2010 (gmt 0)

My strategy is still to use one browser exclusively for very secure things and never for anything else - seriously reduces the risk of things like this happening.


That's exactly what I started doing after I first became aware of cross-site scripting attacks. I use one browser and one browser only for bank logins, PayPal, brokerage accounts, affiliate accounts -- all financial sites and other sites of all types where there's a strong need for security. I never use that browser to visit any other sites. Then there are all the other browsers I have and use -- they're never used for any important logins.

If the "wrong" browser was suddenly showing me a login page for one of those accounts, it would immediately send up red flags.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Local / Foo
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved