Skip to main content

What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?

What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?

What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?
What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?
Last September, Instagram fixed a big issue which is taken for granted by most of the frontend developers around the world. It’s the issue of putting a link with target=”_blank” attribute in an anchor tag to make it open in a new tab. There is a problem in how the browser behaves if one uses this for opening the link in a new tab.
It is because, when one clicks the link like this, the new tab that gets open has a
which points to the HTML document of the page from which the link was clicked. This means that once the user clicks the link, the new malicious page has full control over previous page’s document’s full window object!
is accessible across origins!
The attacker can leverage this, and while the link is opening in another tab, the attacker can redirect the original tab’s URL location to a phishing page in the background, designed to look like the real original page, asking for login credentials (now the origin security model of web prevents the attacker from reading the page). The user likely wouldn’t notice this, because the redirect happens in the background. This attack could be made even more subtle by adding a delay before redirecting to the phishing page in the background. This kind of attack is called reverse tab nabbing. 
If the attacker is targeting, it can leverage another kind of attacks to see if a user is logged into, for example, a banking service, which often requires re-authentication after a session gets expired after a few minutes. Combine this with Unicode Domain Names, and people would have absolutely no idea what hit them since even the last chance of theirs looking at the URL of the affected tab would have deserted them ( It’s possible that a user wouldn’t be attentive to notice the address bar, especially when he’s on mobile browsers, which sometimes hide the address bar while scrolling down).
However companies like Facebook and Twitter are reluctant to fix this issue, and why? Because Facebook says that although this is indeed a door to a phishing attack, it would also block websites from seeing which visitors came to their website from Facebook.
Facebook’s status as a top traffic director is a major source of its revenue, and profit for people who can monitor where their users are coming from, especially if they are paying Facebook to do so.
What did Facebook do? Facebook delimits the number of requests a given IP address can make to it each second, which keeps hackers from phishing users on a large scale. But that won’t stop websites from exploiting the vulnerability on a small scale or keep hackers from targeting individuals.
The makers of the browsers have to have an action on this. Why give a user access to the window object of the original web page at all?
For now, one can fix it by simply adding a rel=“noopener noreferrer” attribute in the anchor tag like this: 
(noreferrer needed for older browsers)
One could, instead use
by preventing the default action on click of a link, but facebook has found that it significantly reduces the amount of time that the new link takes to open in a new tab + it has some Safari issues. So. Na ah.
What is amazing on top of this is, without the rel=noopener, the web page suffers from a performance hit. If an anchor tag without rel is opened, the original webpage tab’s main thread activity is disrupted, which means that
  1. Any javascript running on that page would be disrupted
  2. Any selecting of the text will be janky
  3. Scrolling would be janky. And so on.
But with rel=noopener, everything keeps running smooth with 60fps.
Why does this performance glitch happen at all?
Most browsers are multi-process except Firefox, whose team is working on it. Each process has multiple threads, including what we call the “main” thread. This is where the parsing, style calculations, layout, painting, non-worker (browser UI) Javascript runs. This means that Javascript running on one domain (say fossbytes.com) runs on a different thread to a window/tab running another domain (say youtube.com).
However, due to synchronous cross-window access, the DOM gives us via
windows launched via target=”_blank” end up in the same process and thread! rel=”noopener” prevents window.opener so there’s no cross window access, hence the better performance!
Labels:

Comments

Post a Comment

Popular posts from this blog

KINGO ROOT v3.0 Cracked APK is Here! [Root Almost Any Android Device]

KINGO ROOT v3.0 Cracked APK is Here! [Root Almost Any Android Device] KINGO ROOT  Just like Kingroot Apk, Kingoroot is the best root tool to root your device.Just a few simple steps can get you a rooted device within minutes.Install it on your Android device, click to root and voila, it is done. Features  Constantly updating and improving root scripts in KingoRoot makes it powerful in every way. It achieved exact model matching and delivers the most possible solution for each device. Support almost all Android versions and Manufacturers customized devices. It perfectly covers Android 1.5 to 5.0 mainstream models from different manufacturers including Samsung, Google, HTC, Sony and every other android phones. What’s Cracked  AD-FREE How to Root ? Download the apk from the link given below. Install the apk. Click to root. Done, Enjoy your root 😀 Screenshots Download & Links  KINGO ROOT v3.0 Cracked APK   /  Mirror  (1.2 Mb) KINGO ROOT for Windo...
Post a Comment
Read more

Top 8 Best WhatsApp Tips And Tricks Of 2017

Top 8 Best WhatsApp Tips And Tricks Of 2017 M illions of people are using WhatsApp these days. It is as popular as Facebook, Twitter or Instagram. With millions of users, we can presume that most of the people at least use it once in a day. And everybody thinks that they know everything about WhatsApp. Maybe some of them do. But most of the people doesn’t, because technology won’t stop. There are always more tips and tricks which you can learn and use anytime. So that’s why today I am going to tell you about Top 8 Best And Cool WhatsApp Tips And Tricks which will definitely help you to become WhatsApp pro. So check out the Tricks in the description below. Top 8 Best WhatsApp Tips And Tricks Of 2017 1. Create Chat Shortcuts If you are chatting with 2 or 3 people at the same time on WhatsApp like with your girlfriend, wife, and with others, it won’t be easy to manage all those chats. So to make it easy, you can create conversation shortcuts to your home screen so that you don’t need to o...
Post a Comment
Read more

How to Get Android 6.0 Boot Animation On Your Android

How to Get Android 6.0 Boot Animation On Your Android oday we are here with cool android trick that is  How to Get Android 6.0 Boot Animation on Your Android . Android 6 is going to come soon and the development for this cool version of android is started and there are lots of tweaks that are now getting ready for this version of android. Android 6 will come up with all new feature that all users will love to have. And in this post we are going to discuss a way to have boot animation of Android 6(Marshmallow) in your android now. Follow up the complete guide below to proceed. How to Get Android 6 Boot Animation on Your Android In this tutorial you will be using a custom boot animation for your android device that will replace with your stock boot animation of your android device. And you will get latest boot animation of android v6.0. So follow up the steps below to proceed. Steps To Get Android 6.0 Boot Animation on Your Android First of all you need download  Marshmallo...
Post a Comment
Read more