Tabjacking/Tabnabbing: What is it?

The humble browser tab is something we take for granted nowadays, and most of us have probably never thought about what an impact it has had on the way we surf the internet. The concept first appeared in what is now a little-known browser called NetCaptor more than 20 years ago, and although adoption was initially slow, once Opera and Firefox introduced it in the early 2000s, Microsoft's Internet Explorer realized that it has no other option but to follow the pack, and tabs became the norm.

Nowadays, they give us the flexibility of focusing on multiple different tasks at the same time. Thanks to browser tabs, we can quickly switch between web pages, and we can find the resources we need in a matter of seconds. Tabs are massively useful, but they can also be a very good attack vector.

What is tabnabbing or tabjacking?

The attack was first discussed some ten years ago when security researchers realized that a simple but clever technique could allow cybercriminals to pull off what is potentially an extremely clever phishing attack. Here's the scenario.

Let's say that during your workday, you have about a dozen browser tabs that need to be opened all the time. One of the websites opened in a tab has previously been compromised by hackers who have injected a piece of JavaScript code. While you're focusing on another tab, the malicious code silently changes the contents of the tab it's opened in, and instead of the website you've loaded yourself, it displays a malicious carbon copy of Gmail's login page. At one point, you're going through all the tabs you've opened, and you notice the sign-in prompt. Thinking that Gmail has automatically logged you out of your account, you enter your username and password, the malicious JavaScript code sends the credentials to the crooks, and to make things even more believable, it redirects you to the real Gmail. Because you were never actually logged out of your account, you are very likely to see the contents of your inbox and suspect nothing.

As you can see, it's a clever attack, but how likely are you to fall victim to it?

Tabnabbing is struggling to gain popularity with cybercriminals

In 2010, Brian Krebs discussed the attack in detail and explained how many advantages it has over the more traditional tools or the hackers' trade. Back then, information security specialists had already come up with a few proof-of-concept pages, which showed how tabnabbing might work in the wild. Since then, we have seen even more polished designs that overcame a few technical difficulties. They were all published by security researchers, however, and they were all displayed with the idea of protecting and educating users, not harming them.

We have yet to see any large-scale tabnabbing attacks against unsuspecting internet users. It looks like, for the time being, at least, the crooks prefer to use more traditional schemes for stealing people's credentials. It's not easy to justify this decision.

Indeed, tabnabbing involves compromising a website and injecting code into it, which makes it more of a technical challenge. At the same time, however, the social engineering involved in the classic phishing campaigns is absent in this case. Perhaps most of the crooks are happy with the results of the tried and tested methods and reckon that the additional innovation is not worth the effort. That being said, you mustn't underestimate the threat.

What can you do to protect yourself from tabnabbing?

Obviously, a tabnabbing attack can only work against users who don't have the habit of closing their inactive tabs. Unfortunately, for many people, using fewer tabs is easier said than done. Nevertheless, better tab management can always help. Experts advise on using multiple browser windows and arranging different sets of tasks in them. While not foolproof, it might just help you spot something suspicious.

From a technical perspective, you can try using an extension like No Script to block any potentially malicious code from silently refreshing pages and loading bogus login forms. If you let it block all JavaScript code, however, many of your favorite websites won't function properly, and for the majority of users, manually selecting which scripts need to be stopped is too difficult.

The thing that can really save you is your own attention to detail. As we mentioned already, a tabnabbing attack relies on a fake login form, and the good thing about fake login forms is that they can't be hosted on the domain they are trying to impersonate. If you establish the habit of double-checking the address bar of your browser before entering your username and password, you have a good chance of protecting yourself from both tabnabbing and from more traditional phishing.