Tabjacking/Tabnabbing: What is it?

Tabnabbing Tabjacking

The humble browser tab is something we take for granted nowadays, and most of us have probably never thought about what an impact it has had on the way we surf the internet. The concept first appeared in what is now a little-known browser called NetCaptor more than 20 years ago, and although adoption was initially slow, once Opera and Firefox introduced it in the early 2000s, Microsoft's Internet Explorer realized that it has no other option but to follow the pack, and tabs became the norm.

Nowadays, they give us the flexibility of focusing on multiple different tasks at the same time. Thanks to browser tabs, we can quickly switch between web pages, and we can find the resources we need in a matter of seconds. Tabs are massively useful, but they can also be a very good attack vector.

What is tabnabbing or tabjacking?

The attack was first discussed some ten years ago when security researchers realized that a simple but clever technique could allow cybercriminals to pull off what is potentially an extremely clever phishing attack. Here's the scenario.

Let's say that during your workday, you have about a dozen browser tabs that need to be opened all the time. One of the websites opened in a tab has previously been compromised by hackers who have injected a piece of JavaScript code. While you're focusing on another tab, the malicious code silently changes the contents of the tab it's opened in, and instead of the website you've loaded yourself, it displays a malicious carbon copy of Gmail's login page. At one point, you're going through all the tabs you've opened, and you notice the sign-in prompt. Thinking that Gmail has automatically logged you out of your account, you enter your username and password, the malicious JavaScript code sends the credentials to the crooks, and to make things even more believable, it redirects you to the real Gmail. Because you were never actually logged out of your account, you are very likely to see the contents of your inbox and suspect nothing.

As you can see, it's a clever attack, but how likely are you to fall victim to it?

Tabnabbing is struggling to gain popularity with cybercriminals

In 2010, Brian Krebs discussed the attack in detail and explained how many advantages it has over the more traditional tools or the hackers' trade. Back then, information security specialists had already come up with a few proof-of-concept pages, which showed how tabnabbing might work in the wild. Since then, we have seen even more polished designs that overcame a few technical difficulties. They were all published by security researchers, however, and they were all displayed with the idea of protecting and educating users, not harming them.

We have yet to see any large-scale tabnabbing attacks against unsuspecting internet users. It looks like, for the time being, at least, the crooks prefer to use more traditional schemes for stealing people's credentials. It's not easy to justify this decision.

Indeed, tabnabbing involves compromising a website and injecting code into it, which makes it more of a technical challenge. At the same time, however, the social engineering involved in the classic phishing campaigns is absent in this case. Perhaps most of the crooks are happy with the results of the tried and tested methods and reckon that the additional innovation is not worth the effort. That being said, you mustn't underestimate the threat.

What can you do to protect yourself from tabnabbing?

Obviously, a tabnabbing attack can only work against users who don't have the habit of closing their inactive tabs. Unfortunately, for many people, using fewer tabs is easier said than done. Nevertheless, better tab management can always help. Experts advise on using multiple browser windows and arranging different sets of tasks in them. While not foolproof, it might just help you spot something suspicious.

From a technical perspective, you can try using an extension like No Script to block any potentially malicious code from silently refreshing pages and loading bogus login forms. If you let it block all JavaScript code, however, many of your favorite websites won't function properly, and for the majority of users, manually selecting which scripts need to be stopped is too difficult.

The thing that can really save you is your own attention to detail. As we mentioned already, a tabnabbing attack relies on a fake login form, and the good thing about fake login forms is that they can't be hosted on the domain they are trying to impersonate. If you establish the habit of double-checking the address bar of your browser before entering your username and password, you have a good chance of protecting yourself from both tabnabbing and from more traditional phishing.

By Duran
April 3, 2020
Password Security
English
April 3, 2020
Password Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Password Security

How To Choose The Best Password Manager For My Safari Browser?

If you're an eager online surfer it's likely that you have more than a dozen online accounts, which all use their own login data, such as a unique username, and more importantly, a unique password. We've all read... Read more

April 11, 2018
How To

How to Change Your Ebay Password for Security

While still definitely newsworthy, one can hardly call data breaches a novelty. So many major tech companies and commerce giants have suffered one or more that it's hard to keep up. One of the biggest and most... Read more

April 3, 2020
Password Security

Google Introduces Password Security Changes

Login credentials remain to be one of the most targeted pieces of information by cybercriminals. Consequently, cybersecurity experts talk more and more about bad password habits and measures that both companies and... Read more

December 11, 2019
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.