Tab Napping, a real threat?

[dave87]

http://uk.biz.yahoo.com/07062010/389...line-scam.html


I'm not convinced, surely you would have to open a dodgy window or have something installed on your PC without your knowledge for this to work?

What do we think?

[MadduckUK]

i think tap nabbing is worse

[jim]

Yeah, you'd have to have something dodgy installed.

To be honest though, it would catch me out. I don't check the address bar when I go back to a previous opened tab. And I routinely leave tabs open for upwards of 20 minutes before using them.

The obvious answer to me though is for banks and so on to use sessions as soon as you go to the login page. Have a countdown on the page which shows how long you've got before you're redirected away from the login back to the main site.

That way, a fake would either have to replicate the countdown, and thus prove that it's false because they work on the basis that you've left the tab open for ages, or miss it out and thereby look unrealistic.

At the end of the day it's not that sophisticated... it's no more than simple page redirection... but the idea of using 30 minute old tabs is very sensible, since you probably wouldn't even notice the change. That's why a more visual protection system would probably work, imo.

[TheAnimus]

Yeah, you'd have to have something dodgy installed.

No, no you wouldn't.

Most browser give up your history if people query for a specific URL, this is via a styling attack that remains 'controversial' to say the least.

then you simply set the content.

But given that you would have to not look at the URL bar for this to work, that should limit the impact a bit.

Also as most online banks explicitly tell you to use a clean 'session' its hardly going to be an issue for those following the good advice there either.

[XA04]

I posted this on my facebook the other week...

http://digg.com/security/New_Type_of..._Tabs?OTC-fbc8

EXAMPLE http://www.azarask.in/blog/post/a-ne...ishing-attack/


I think it could be quite a serious threat really. It doesn't totally work in chrome as the favicon doesn't change.

[jim]

No, no you wouldn't.

Most browser give up your history if people query for a specific URL, this is via a styling attack that remains 'controversial' to say the least.

then you simply set the content.

But given that you would have to not look at the URL bar for this to work, that should limit the impact a bit.

Also as most online banks explicitly tell you to use a clean 'session' its hardly going to be an issue for those following the good advice there either.

Analysing a tab, seeing that it's been open for 30 minutes, and then redirect it to a site of your choosing? Surely that can't be done via your method.

[TheAnimus]

ah no the idea is that you already 'own' that tab via a cross site scripting or something. But rather than just re-direct to any kind of phishing scam, you check their history, using the "has user visted known url via css bug", then you can go one step further, see if they are currently logged in to facebuck, and generate a very convincing phishing scam that the user dosen't remember opening.

its not really going to be a big one imho.