As we all progress in learning all of the wonderful things we can do with scripts and simple Html code. Sometimes it is useful to also realize just because we CAN do something doesn't mean we SHOULD. There are many examples of this both in life and in the internet, however the particular subject of this post is "tabnapping", As defined by wikipedia -Tabnabbing is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular websites by impersonating those sites and convincing the user that the site is genuine. Now this is bad enough but there is a specific flavor of tabnapping that can be unknowingly assisted by bloggers.
I would urge anyone who is technically inclined to do more research on the general subject. I have provided a few links below to get you started. For now lets look at the topic of this post.
By now most users on the internet are aware of the dangers of clicking on unknown websites or visiting non "HTTPS" websites. The majority of people even know the dangers of opening e-mail links from unsecured sources. However a very popular html code used by many admins of blog sites can potentially be used against us and our visitors in a very bad way. We are all aware of links and most webmasters know how to create them and add them to a site.
By now most users on the internet are aware of the dangers of clicking on unknown websites or visiting non "HTTPS" websites. The majority of people even know the dangers of opening e-mail links from unsecured sources. However a very popular html code used by many admins of blog sites can potentially be used against us and our visitors in a very bad way. We are all aware of links and most webmasters know how to create them and add them to a site.
Ie: #<a href="https://www.exampledotcom/">exampledotcom</a>
There is another type of link that us webmasters like to use which opens the link in a new tab or window. This is the type of code I want to warn all webmasters/bloggers about.
Ie: #<a href="https://www.exampledotcom/" target="_blank">exampledotcom</a>
"It Makes Your Site Vulnerable to Phishing Attacks
At the time this is written, when you open a new page with target="_blank", the site you link to gains access to the window/tab containing your page and is able to change it (in the visitor's browser) to display a different web address.
This not only thwarts your attempt to keep visitors at your site (if that's your purpose), it's also a potential danger to them. For example, if you have a login page, the linked-to site may replace it with one on another site that looks like yours, but actually collects your visitor's login details. This kind of attack is called "phishing". Even if your site does not have facilities for visitors to log in, the linked-to site can replace it with a page that delivers malware.
This vulnerability is not hypothetical. The people from the Google Security Team have noted a "significant number of reports" of such "tabnabbing" being used to deliver malware.
Technical details (only for those who are interested): the newly open site gains limited access to your page via the JavaScript window.opener object. This is a read/write object that they can manipulate. It has a property called window.opener.location that can be changed, causing the browser to go to a new URL instead of staying at your page. If you don't understand this paragraph, skip it. It's merely the technical version of the explanation given earlier.
You can prevent it from happening in some browsers by adding rel="noopener noreferrer" to your link. With this added, the above example becomes:
<a href="https://www.thesitewizard.com/" rel="noopener noreferrer" target="_blank">thesitewizard.com</a>
Theoretically, either rel="noopener" or rel="noreferrer" is sufficient to prevent this problem, with rel="noopener" being the correct attribute to use. (The other one, rel="noreferrer", has a side-effect in that the browser will also withhold the referring URL.) However, at this time, not all browsers support rel="noopener". Likewise, rel="noreferrer" is also not supported by some browsers. Since the list of browsers that support either attribute is not identical, if you want this protection from the greatest subset of browsers possible, you will probably need to use both.
That said, the workaround only helps with the later versions of Chrome, Firefox and Safari. Internet Explorer does not have such a facility, although from my cursory test, version 11 seems to be immune to the attack in its default security zone. I'm not sure about Microsoft Edge.
In other words, the method detailed above is not 100% foolproof. The best way to avoid the problem is to use normal links, without target="_blank".
Conclusion
My general recommendation is to avoid opening links in a new window or tab, if possible. Of course there may be specific instances where this is needed (which is why such a facility exists in the first place, for those rare cases where it may be required). If so, you may want to warn your visitors by saying something like "opens in a new window" next to your link (if it's appropriate). It won't help the average Internet user, who won't know what you are talking about or how to deal with it, and it won't guard them from attacks using your site, but at least you won't frustrate the more experienced Internet visitors."
So the big "take away" here is this: It is ok to use traditional links on your site but it is a bad idea to use the "Open in a new tab or window" type of link unless you know the destination is secure or its to your own pages.
Why would this be a problem you may ask? Well the short answer is it sets up the visitor for a phishing attack if the site you link to has bad intentions. For a more in-depth answer I will refer to :
www.thesitewizard.com And I quote directly from their site:
At the time this is written, when you open a new page with target="_blank", the site you link to gains access to the window/tab containing your page and is able to change it (in the visitor's browser) to display a different web address.
This not only thwarts your attempt to keep visitors at your site (if that's your purpose), it's also a potential danger to them. For example, if you have a login page, the linked-to site may replace it with one on another site that looks like yours, but actually collects your visitor's login details. This kind of attack is called "phishing". Even if your site does not have facilities for visitors to log in, the linked-to site can replace it with a page that delivers malware.
This vulnerability is not hypothetical. The people from the Google Security Team have noted a "significant number of reports" of such "tabnabbing" being used to deliver malware.
Technical details (only for those who are interested): the newly open site gains limited access to your page via the JavaScript window.opener object. This is a read/write object that they can manipulate. It has a property called window.opener.location that can be changed, causing the browser to go to a new URL instead of staying at your page. If you don't understand this paragraph, skip it. It's merely the technical version of the explanation given earlier.
You can prevent it from happening in some browsers by adding rel="noopener noreferrer" to your link. With this added, the above example becomes:
<a href="https://www.thesitewizard.com/" rel="noopener noreferrer" target="_blank">thesitewizard.com</a>
Theoretically, either rel="noopener" or rel="noreferrer" is sufficient to prevent this problem, with rel="noopener" being the correct attribute to use. (The other one, rel="noreferrer", has a side-effect in that the browser will also withhold the referring URL.) However, at this time, not all browsers support rel="noopener". Likewise, rel="noreferrer" is also not supported by some browsers. Since the list of browsers that support either attribute is not identical, if you want this protection from the greatest subset of browsers possible, you will probably need to use both.
That said, the workaround only helps with the later versions of Chrome, Firefox and Safari. Internet Explorer does not have such a facility, although from my cursory test, version 11 seems to be immune to the attack in its default security zone. I'm not sure about Microsoft Edge.
In other words, the method detailed above is not 100% foolproof. The best way to avoid the problem is to use normal links, without target="_blank".
Conclusion
My general recommendation is to avoid opening links in a new window or tab, if possible. Of course there may be specific instances where this is needed (which is why such a facility exists in the first place, for those rare cases where it may be required). If so, you may want to warn your visitors by saying something like "opens in a new window" next to your link (if it's appropriate). It won't help the average Internet user, who won't know what you are talking about or how to deal with it, and it won't guard them from attacks using your site, but at least you won't frustrate the more experienced Internet visitors."
So the big "take away" here is this: It is ok to use traditional links on your site but it is a bad idea to use the "Open in a new tab or window" type of link unless you know the destination is secure or its to your own pages.
It is not my intention to teach a class on the subject rather I only wish to make admins and bloggers aware of the issue so they can do their own research and adjust their security on hosted sites as they see fit.
Here are some sources used in this post and some to point ya in the right direction.
en.wikipedia.org/wiki/Tabnabbing
www.thesitewizard.com
krebsonsecurity.com
bbb.org
owasp.org
resources.infosecinstitute.com
Hope you find this useful and safe blogging to you all,
Bear
Here are some sources used in this post and some to point ya in the right direction.
en.wikipedia.org/wiki/Tabnabbing
www.thesitewizard.com
krebsonsecurity.com
bbb.org
owasp.org
resources.infosecinstitute.com
Hope you find this useful and safe blogging to you all,
Bear
No comments:
Post a Comment