Tabnabbing attacks – A new Phishing tactic

Most of you are aware of Phishing, where a fraudulent process is initiate with the intent of acquiring sensitive information like passwords and credit card details, by presenting oneself as a legitimate entity. But what if you are on a legitimate page and the page you have been looking, changes to a fraudulent page, once you visit another tab? This is called Tabnabbing!


How Tabnabbing works

  • You navigate to a genuine website.
  • You open another tab and browse the other site.
  • After a while you come back to the first tab.
  • You are greeted with fresh login details, maybe to your Gmail account.
  • You login again not suspecting that the page, including the favicon, has actually changed behind your back!

This can all be done with just a little bit of JavaScript that takes place instantly. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in.

The attack preys on the perceived immutability of tabs. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

You visit a web page, you switch to another tab, and behind your back, your first page will have changed!

Reverse Tabnabbing

Reverse Tabnabbing occurs the attacker uses window.opener.location.assign() to replace the background tab with a malicious document. Of course, this action also changes the address bar of the background tab, but the attacker hopes that the victim will be less attentive and will blindly enter their password or other sensitive information when returning to the background task, says Google.

A way out would be if all site owners were to use the following tag:

target="_blank" rel="noopener noreferrer"

To prevent this vulnerability from being exploited, WordPress has started adding noopener noreferrer tags automatically now.

Now take a look at Spear Phishing, Whaling, and Vishing and Smishing scams.

Posted by on , in Category Security with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.

One Comment

  1. “The attack preys on the perceived immutability of tabs.”

    Not exactly. Like phishing, the attack preys upon the naive, lazy or simply, if I may say it, stupid.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 + 9 =