Tuesday, June 15, 2010

Vicious web danger: tabnabbing

Most often, I use Firefox as my web browser, mainly because I've grown accustomed to it, and I've developed a big set of bookmarks. These days, I've been saying to myself regularly that I really must get into the habit of using Apple's Safari as my standard browser, because it's making an effort to start to integrate various HTML5 devices.

Meanwhile, no matter which browser we use, a new danger has arisen for web users who (like myself) have become accustomed to jumping between tabs. It's called tabnabbing, because an evil site you visit is capable, as it were, of stealing (or, more precisely, corrupting) a tab of your browser and leading you astray. Let me show you a demo of how it works. I strongly advise you to pay close attention to this demo (which is easy to follow), so that you'll be aware of the way in which tabnabbing does its dirty work.

For the moment, you're reading the Antipodes blog. Now, open another tab (I'm assuming you know how to do that) and open Google. Here's the new situation:

On the left, there's the tab associated with Antipodes. On the right, there's the newly-opened tab with Google, whose address appears at the top. Note the Blogger favicon in the left tab, and the multicolored Google favicon in the second (active) tab. Now, give Google the simple word "tabnabbing". Normally, at the top of the list of Google results, you'll find the following link:

Now, let me explain (so that you won't be worried) that this website belongs to a 26-year-old fellow named Aza Raskin (son of the late Macintosh pioneer Jeff Raskin).

Not only is Aza a "good guy". Above all, he's a brilliant interface guru who holds the current post of creative lead for Firefox at the Mozilla Corporation. And he's the fellow who actually unearthed the existence of the tabnabbing trap. Well, Aza has deliberately installed the evil tabnabbing bug in the above-mentioned website, so that we can see how it works. Now, there's no possibility whatsoever of your being harmed by pursuing this demo. On the contrary, you'll see how the evil strikes, and you'll be all the more capable of avoiding it in a potentially harmful web environment. So, let's pursue the demo.

If you click the reference supplied by Google, you'll see Aza Raskin's elegant website, in which he provides useful information about this problem, which belongs to the category of evil operations known as "phishing". Here's the current appearance of the tabs:

Notice that the second tab now mentions Aza's website, whose address appears at the top. Now return to the Antipodes blog by clicking the left-hand tab. You'll return, as expected, to my blog. But look at the tabs:

The right-hand tab no longer mentions Aza's website, as it did ten seconds ago. It seems to refer to the Gmail website. In fact, we're faced with a tabnabbing trap. It's not really an authentic Gmail website, but rather a fake site designed to extract vital data from you. You can switch to this fake website, harmlessly, to see what it looks like.

It certainly looks like a harmless Gmail page, asking you to sign in. But don't be fooled into thinking that it's really the authentic Gmail website that's requesting data from you. As you can see from the address up at the top, it's still actually a page of Aza's website. So, simply destroy this obnoxious tab.

Conclusion: If ever you click on a tab and discover what seems to be a familiar website, asking you for information, disregard the request, and remove that tab immediately! In other words, whenever you click on a tab, be wary of its authenticity.

POST SCRIPTUM: If readers still have doubts about the trap I've been trying to explain, they can ask me questions through the comments device. Some readers might say: "Oh, I never use tabs." That's simply not true. In Firefox, new tabs often get created automatically when you're clicking around. So, everybody is at the mercy of suddenly having his/her attention attracted by a tab with a familiar favicon and reference, which turns out to be an evil tabnabbing thing.

1 comment:

  1. Thank you, William. A friend of my talked about this but your explanation has brought clarity.