0

Considering this question about tabnabbing, and looking at both of the demos, located here provided by Sjoerd in his answer, and located here provided by Daniel in a comment, all I had to do was to take a look at the URL address bar in my browser (firefox) and I could see clearly that it wasn't www.google.com.

Is this all it takes to defeat tabnabbing? Or can there be more sophisticated attacks where the URL can be faked as well, to show www.google.com while the page displayed is a fake google log-in page?

Community
  • 1
Fixed Point
  • 211
  • 2
  • 7
  • 1
    See also [Are address bars unphishable?](http://security.stackexchange.com/questions/9336/are-address-bars-unphishable) – Sjoerd Sep 14 '16 at 07:01
  • sometimes users can't see a url bar once they interact with the page, mobile especially, but TV ones too – dandavis Sep 14 '16 at 17:34

1 Answers1

3

You are correct. One glance at the URL bar would defeat tabnabbing and many other phishing tricks. What makes tabnabbing special is when a user is in the habit of checking the URL after clicking a link, but not when switching tabs. The correct moment to check the URL is just before entering your credentials.

If there is www.google.com in the address bar and there is a green lock icon indicating that the page is encrypted, you can be sure you are connected to www.google.com. If the page is not encrypted, it is possible that a hacker made www.google.com point to his own server. This is not something that can be done by anyone on the Internet, but it could be done by someone on the same network (e.g. WiFi network) as you.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102