Saturday, September 10, 2016

Firefox 48.0 Does Not Vulnerable To Reverse Tabnabbing

What is Tabnabbing?

According to Wikipedia, Tabnabbing is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular websites by impersonating those sites and convincing the user that the site is genuine.

The attack's name was coined in early 2010 by Aza Raskin, a security researcher and design expert. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded.

Tabnabbing operates in reverse of most phishing attacks in that it doesn’t ask users to click on an obfuscated link but instead loads a fake page in one of the open tabs in your browser.

What's New?

Recently, security researcher(s) find a new attack vector. A lot of websites are coding their links with target="_blank" and attackers can use of this vulnerability to attack clients browser.

How to avoid from that?

If you are website administrators or developers, please correct all the code from :

target="_blank"

to :

target="_blank" rel="noopener noreferrer"

If you are users/clients, you need to use a not vulnerability browser such as Firefox 34.0 or higher.

I tested Edge, Chrome, Safari and Firefox on Android, Linux, iOS, Windows and Mac OSX. I got the following result.

Vulnerable -
Safari for Mac OSX 9.1.3 (11601.7.8)
Safari for iOS (iPad) 9.3.5
Safari for iOS (iPhone) 9.3.5
Android Browser 42.0.2311.1179 (Default browser for OnePlus One 6.0.1)
Chrome for Mac OSX 53.0.2785.101
Chrome for Android 52.0.2743.98 (Default browser of Nexus 5 6.0.1)
Chrome for Android 53.0.2785.97
Chrome for iOS (iPad) 53.0.2785.86
Firefox for iOS (iPad) 5.2 (1)*

Not Vulnerable -
Firefox for Android 48.0
Firefox for Linux 48.0
Firefox ESR for Linux 45.3.0
Firefox for Mac OSX 48.0
Edge for Windows 25.10586.0.0

Please note that Google will not fix this "vulnerability" on Chrome, please see their explanation here.

*Another thing you may note that Firefox for iOS is also vulnerable. Meanwhile, Chrome for Linux is not tested.

How do I test my browsers?

Please go to Blankshield & Reverse Tabnabbing Attacks Demo Page. If you see the following message on the first line, your browser is not vulnerable. Otherwise, your browser is vulnerable to this attack.

"You are not using a vulnerable browser."

If your browser is vulnerable to this attack, the page should be looking like this.

Demo Video

Reference

(1) https://github.com/danielstjules/blankshield
(2) https://danielstjules.github.io/blankshield/
(3) http://news.softpedia.com/news/adding-target-blank-to-your-links-opens-the-door-for-phishing-attacks-507851.shtml
(4) https://sites.google.com/site/bughunteruniversity/nonvuln/phishing-with-window-opener
(5) http://davidebove.com/blog/2016/05/05/target_blank-the-vulnerability-in-your-browser/
(6) https://en.wikipedia.org/wiki/Tabnabbing

That's why I love Firefox so much!

That's all! See you.