Tabnapping (also called tabjacking) was a browser security threat (XSS) we identified back in May of 2010. Tab-napping doesn’t target users with a malicious link – it actually targets internet users who have lots of tabs open on their browser. I’ve had some users contact me recently about some rather odd behaviour with their Firefox 4.0 pinned tabs.
In one instance the inactive tab had a login page to an online bank. The user luckily noticed that the URL string on the tab had changed ever so slightly (minor character additions) – cannot show link here for obvious reasons :(, but you could see how easily it could have been missed by the naked eye. Note. The tabnapping threat isn’t restricted to just Firefox. It applies to any browser that allows you to save websites as a browser tab or pinned to the taskbar in Windows 7 as an application.
Cyber criminals have worked out how to replace an inactive browser tab with a fake tab which is setup to collect personal data.The problem with this type of security threat is that users might find that the web page in the browser tab isn’t the same even if the user doesn’t return to it having used other windows and tabs. The security threat is that the tab can end up with malicious code that replaces the original webpage the user opened with a fake webpage. A user would then find it very difficult to distinguish between a fake or authentic webpage.
I personally suggests you follow the simple steps below if you want to protect your online identity from this new security threat:
- Always check the URL has a secure https:// address even if you don’t have tabs open on the browser
- If the URL looks suspicious in any way, close the tab and reopen it by entering the correct URL again
- Avoid leaving tabs open which require you to type in secure login details (in particular banking and financial websites you visit)
- Don’t open any tabs while doing online banking – open new windows instead (CTL + N)
- Use the Firefox NoScript or NotScripts addons which will stop most scripts from running – consider further reading with Web browser XSS add-on security options.
TIP: A fake tabbed page will always have a different URL to the website you are visiting.
If you use online banking you will definitely be at risk from this security threat – in particular if you leave your internet banking login page active on another browser tab.
Safe surfing folks!