Skip to main content

What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?

What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?

What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?
What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?
Last September, Instagram fixed a big issue which is taken for granted by most of the frontend developers around the world. It’s the issue of putting a link with target=”_blank” attribute in an anchor tag to make it open in a new tab. There is a problem in how the browser behaves if one uses this for opening the link in a new tab.
It is because, when one clicks the link like this, the new tab that gets open has a
which points to the HTML document of the page from which the link was clicked. This means that once the user clicks the link, the new malicious page has full control over previous page’s document’s full window object!
is accessible across origins!
The attacker can leverage this, and while the link is opening in another tab, the attacker can redirect the original tab’s URL location to a phishing page in the background, designed to look like the real original page, asking for login credentials (now the origin security model of web prevents the attacker from reading the page). The user likely wouldn’t notice this, because the redirect happens in the background. This attack could be made even more subtle by adding a delay before redirecting to the phishing page in the background. This kind of attack is called reverse tab nabbing. 
If the attacker is targeting, it can leverage another kind of attacks to see if a user is logged into, for example, a banking service, which often requires re-authentication after a session gets expired after a few minutes. Combine this with Unicode Domain Names, and people would have absolutely no idea what hit them since even the last chance of theirs looking at the URL of the affected tab would have deserted them ( It’s possible that a user wouldn’t be attentive to notice the address bar, especially when he’s on mobile browsers, which sometimes hide the address bar while scrolling down).
However companies like Facebook and Twitter are reluctant to fix this issue, and why? Because Facebook says that although this is indeed a door to a phishing attack, it would also block websites from seeing which visitors came to their website from Facebook.
Facebook’s status as a top traffic director is a major source of its revenue, and profit for people who can monitor where their users are coming from, especially if they are paying Facebook to do so.
What did Facebook do? Facebook delimits the number of requests a given IP address can make to it each second, which keeps hackers from phishing users on a large scale. But that won’t stop websites from exploiting the vulnerability on a small scale or keep hackers from targeting individuals.
The makers of the browsers have to have an action on this. Why give a user access to the window object of the original web page at all?
For now, one can fix it by simply adding a rel=“noopener noreferrer” attribute in the anchor tag like this: 
(noreferrer needed for older browsers)
One could, instead use
by preventing the default action on click of a link, but facebook has found that it significantly reduces the amount of time that the new link takes to open in a new tab + it has some Safari issues. So. Na ah.
What is amazing on top of this is, without the rel=noopener, the web page suffers from a performance hit. If an anchor tag without rel is opened, the original webpage tab’s main thread activity is disrupted, which means that
  1. Any javascript running on that page would be disrupted
  2. Any selecting of the text will be janky
  3. Scrolling would be janky. And so on.
But with rel=noopener, everything keeps running smooth with 60fps.
Why does this performance glitch happen at all?
Most browsers are multi-process except Firefox, whose team is working on it. Each process has multiple threads, including what we call the “main” thread. This is where the parsing, style calculations, layout, painting, non-worker (browser UI) Javascript runs. This means that Javascript running on one domain (say fossbytes.com) runs on a different thread to a window/tab running another domain (say youtube.com).
However, due to synchronous cross-window access, the DOM gives us via
windows launched via target=”_blank” end up in the same process and thread! rel=”noopener” prevents window.opener so there’s no cross window access, hence the better performance!

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

[ROM] XTREME OS V5 FOR MT6572

Most Features OF This Rom Rooted Deodexed Debloated init.d Enabled X launcher  battery saver tweeks added 13mp camera mod added performance boosting scripts are added dolby audio inbuilt themed x audio player Tested Games working smoothly 90-100%: Dead trigger=High Graphic Setting Asphalt8=Mid Graphics Setting NBA2k14 Cytus Real Boxing Modern Combat 4 .................... .................... .................... ............... .................... ................ Download Our App For Help Click Here Download ............... .................... ................ .................... .................... .................... How to flash this ROM 1. Go to Recovery Mode CWM/CTR (Carliv Touch Recovery) 2. Wipe>Wipe Cache> Wipe Dalvic Cache 3. Mount System and data 4. Install Zip>Choose Zip from SD card>Flash Screenshot
Post a Comment
Read more

WIBR+ WiFi BruteForce Hack Pro v2.2.0 APK is Here ! [Latest] [Eng-Ver]

WIBR+ WiFi BruteForce Hack Pro v2.2.0 APK is Here ! [Latest] [Eng-Ver] WIBR+ WIBR+ WiFi BruteForce Hack Pro WIBR is a handy application for testing of security of the WPA/WPA2 PSK WiFi networks. This application is NOT FAKE, it really works and it is possible to access the WiFi network if it uses weak password. This app supports queueing, custom dictionaries, bruteforce generator and advanced monitoring! Read whole description before buying and please READ FAQ at end of this page. Features Network Tools Hacking Data Privacy Wireless Data Monitors The application supports two types of Test Dictionary test – it tries passwords from predefined list one by one. Please don’t be disappointed if the password will not be found, it simply means that it was not in the dictionary. However, if somebody set his key to “12345678” or “password” it will be detected. This version supports importing of your own dictionaries, so you are no longer limited by pre-installed dictionaries! Bruteforce test – y...
Post a Comment
Read more

[ROM] Flatro Style For MT6572

Most Feature of this ROM Lollipop UI Material Design    Super Ram Management  Dolby Digital Plus Deodexed Pre-rooted Fast performance Better gaming Experience  Improvement in build.prop Fixed SystemUI New Iconpack Rounded Corner Relayout View Pager Relayout Custom Drawer Ram Progress Bar in Recent Contextual Background App Circle Side Bar Tinted Statusbar Carbon Traffic Potato Clock Tested Games working smoothly 90-100% Dead trigger=High Graphic Setting Asphalt8=Mid Graphics Setting NBA2k14 Cytus Real Boxing Modern Combat 4 INSTRUCTIONS: 1.GO TO CWM/TWRP/CTR 2.WIPE SYSTEM/CACHE/DATA/DALVIK 3.SELECT "INSTALL ZIP FROM SDCARD" 4.SELECT "CHOOSE ZIP FROM SDCARD" 5.SELECT THE ROM.ZIP AND "yes" 6.REBOOT AND ENJOY .................... .................... .................... ............... .................... ............... Show Me Some of your love  Download Our Blog App For Help Click Here Download ROM ............... .................... ................ .....
Post a Comment
Read more