Tabnabbing

Tabnabbing is a phishing method in which the entire page content as well as the favicon and title of a website are changed when leaving a tab using JavaScript in order to deceive the user. The user is supposed to think they have visited the page, so they don't check the URL . He then enters his private information, believing he is on the real website.

method

The user opens a normal website on which such JavaScript is executed in the background. As soon as the current tab in the web browser loses focus for a certain period of time, the website's favicon, the title and the entire content of the page are changed. By not reloading, the user is fooled into thinking that they have accessed the website themselves . He may be entering his sensitive information into the new content of the page, which in this case contains a phishing form. His data is saved and he is then forwarded to the actual login page.

Expandability through history stealing

History stealing process

With history stealing, the attacker takes advantage of the way in which the web browser saves whether a user has already followed a link. Links that have already been clicked are shown in a different color than links that have not yet been followed. The color is caused by a change in the style sheet ( CSS ) of the HTML document, which the web browser saves as attributes in the history. In the history stealing process, the history created in the browser is read out by JavaScript. This data can now be used to swap the most visited page with the help of tabnabbing for a phishing form. This can increase the success rate of an attack because the victim (user) is not surprised by an unknown login page.

This vulnerability was discovered by web developer Aza Raskin , the son of user interface designer Jef Raskin , and was closed by most browser manufacturers in the spring of 2011.

Individual evidence

↑ http://dbaron.org/mozilla/visited-privacy

Web links

[1] ttp://dbaron.org/mozilla/visited-privacy