137

Wikipedia is not very explicit on this,

The exploit employs scripts to rewrite a page of average interest with an impersonation of a well-known website, when left unattended for some time.

What is 'tabnabbing', how does one do it?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Matas Vaitkevicius
  • 1,325
  • 2
  • 9
  • 12

2 Answers2

172

Tabnabbing is a phishing technique where a malicious web site changes its looks while the tab is inactive in order to trick the user into entering credentials.

This page is simultaneously a description and a demo. When you visit it, it shows a description of what tabnabbing is. When you then click another tab, it changes the tabs favicon and title to look like Gmail. Later, when the user wants to read her mail she goes to this tab thinking it is Gmail and enters her credentials.

Edit:

In this animation, you see that while I am reading SE, the tab that at first looked harmless changes in the background to look like Gmail. This way the page tries to trick me into submitting my credentials.

Tabnabbing demo

schroeder
  • 123,438
  • 55
  • 284
  • 319
Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • 9
    Seems like the demo page you provided has been sort of broke since 2015. – Dog eat cat world Sep 08 '16 at 12:24
  • 9
    Indeed the screenshot of Gmail no longer shows. – Sjoerd Sep 08 '16 at 13:05
  • the title text and favicon change, but the gmail login interface does not show up – user13267 Sep 08 '16 at 14:22
  • 1
    You can find the screenshot in the [actual paper about tabnapping](https://www.securitee.org/files/tabnabbing_asiaccs2013.pdf) – grochmal Sep 08 '16 at 14:43
  • 103
    Lost 5 minutes waiting for the favicon to change, and then I remembered that I have NoScript enabled -.- – Bakuriu Sep 08 '16 at 15:30
  • 2
    Another good reason to use a password manager, which wouldn't be fooled by attacks like this. – Carey Gregory Sep 08 '16 at 17:15
  • 10
    Another good reason to just close tabs you're done with instead of letting them pile up. – Shelby115 Sep 08 '16 at 17:20
  • 14
    Here's [a more effective demo](http://isis.poly.edu/~eitan/tn-poc/page.html) created by [Eitan Adler](http://blog.eitanadler.com/2010/05/tabnabbing-without-javascript.html) which uses meta refresh to [open the demo phishing page](http://isis.poly.edu/~eitan/tn-poc/goog.html). – Daniel Sep 08 '16 at 18:43
  • 2
    @Shelby115 Or (1) pin the tabs you want to keep open and (2) use a password manager. – chrylis -cautiouslyoptimistic- Sep 09 '16 at 03:44
  • 2
    @CareyGregory Password managers may not be fooled by this exploit but many of them are/were vulnerable to remote compromises. See Tavis Ormandys twitter or this list from [Google Project Zero](https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=owner:taviso@google.com&sort=-id&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary). Third party browser components are an increased vulnerability surface. – Johnbot Sep 09 '16 at 11:06
  • This is ... evil. How many people actually fall for this, though? – John Dvorak Sep 09 '16 at 14:42
  • 1
    @CareyGregory Well, I'm pretty sure password managers like KeePass will fall for this since they use just the window title to provide the auto type functionality. You have to use something integrated in the browser to avoid this. – Bakuriu Sep 09 '16 at 18:09
  • 8
    Complaint: can you include what *tabnapping* **is**? You just give a link to a page that describes it, and a GIF of what *happens*. But your answer doesn't contain anything but a demo... obviously I can read the link, but what if the link breaks? Better to summarize now... I'll edit such info in if you want. – Chris Cirefice Sep 10 '16 at 03:24
2

It is a form of social engineering attack through your web browser. You are asked to visit a malicious page which will only get loaded if you switch to another tab and back. There are some tools around to do this. Best for me is Social Engineering Toolkit. It comes pre-installed with Kali Linux along with other useful toys.

Chris Tsiakoulas
  • 1,757
  • 1
  • 9
  • 9