A 2 minute read written by
In a phishing attack the attacker will try to steal user data, e.g. login credentials. Reverse tabnabbing is a phishing method, and here we will try to explain what it is and how it can be prevented.
Websites often refer to pages on other websites. Such links are some times opened in a new tab. If we add the
target="_blank" to an
A linked page opened with
target="_blank" or by
window.opener-property as the linking page. Thus, the linked page can set the property
window.opener.location to anything it wants. That opens a set of possibilities, and we can imagine the following attack scenario:
- The attacker creates a page with whatever content and share it with someone on a social network, which opens the link to the attacker's page with
- In addition, the attacker creates a login page looking identical to the social network login page.
- On the page shared on the social network, the attacker puts
window.opener.location = <url to fake login page>.
- The fake login page appears, and ask the user to re-enter credentials. Being prompted for login credentials happens from time to time, so the user does not think too much about it.
- Voilà. The attacker has got the user's login credentials.
There are two quite easy fixes to prevent this kind of attack.
rel="noopener noreferrer"to every
a-element that has
noopenerensures that the linked page does not have access to
window.openerfrom the linking page.
noreferrermake sure that the request referrer header is not being sent. Thus, the destination site will not see the URL the user came from. According to caniuse.com, the support for noreferrer and noopener is good in recent versions of major browsers. Be aware that Internet Explorer is the usual exception.
var myNewWindow = window.open(url, name, 'noopener,noreferrer')
myNewWindow.opener = null
If you are showing user-generated content on your page you must sanitize the input and apply "noopener noreferrer" to every link.
We hope that you have this in mind when you develop your websites. Please refer to the links below if you want to know more.