Skip to main content

What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?

What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?

What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?
What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?
Last September, Instagram fixed a big issue which is taken for granted by most of the frontend developers around the world. It’s the issue of putting a link with target=”_blank” attribute in an anchor tag to make it open in a new tab. There is a problem in how the browser behaves if one uses this for opening the link in a new tab.
It is because, when one clicks the link like this, the new tab that gets open has a
which points to the HTML document of the page from which the link was clicked. This means that once the user clicks the link, the new malicious page has full control over previous page’s document’s full window object!
is accessible across origins!
The attacker can leverage this, and while the link is opening in another tab, the attacker can redirect the original tab’s URL location to a phishing page in the background, designed to look like the real original page, asking for login credentials (now the origin security model of web prevents the attacker from reading the page). The user likely wouldn’t notice this, because the redirect happens in the background. This attack could be made even more subtle by adding a delay before redirecting to the phishing page in the background. This kind of attack is called reverse tab nabbing. 
If the attacker is targeting, it can leverage another kind of attacks to see if a user is logged into, for example, a banking service, which often requires re-authentication after a session gets expired after a few minutes. Combine this with Unicode Domain Names, and people would have absolutely no idea what hit them since even the last chance of theirs looking at the URL of the affected tab would have deserted them ( It’s possible that a user wouldn’t be attentive to notice the address bar, especially when he’s on mobile browsers, which sometimes hide the address bar while scrolling down).
However companies like Facebook and Twitter are reluctant to fix this issue, and why? Because Facebook says that although this is indeed a door to a phishing attack, it would also block websites from seeing which visitors came to their website from Facebook.
Facebook’s status as a top traffic director is a major source of its revenue, and profit for people who can monitor where their users are coming from, especially if they are paying Facebook to do so.
What did Facebook do? Facebook delimits the number of requests a given IP address can make to it each second, which keeps hackers from phishing users on a large scale. But that won’t stop websites from exploiting the vulnerability on a small scale or keep hackers from targeting individuals.
The makers of the browsers have to have an action on this. Why give a user access to the window object of the original web page at all?
For now, one can fix it by simply adding a rel=“noopener noreferrer” attribute in the anchor tag like this: 
(noreferrer needed for older browsers)
One could, instead use
by preventing the default action on click of a link, but facebook has found that it significantly reduces the amount of time that the new link takes to open in a new tab + it has some Safari issues. So. Na ah.
What is amazing on top of this is, without the rel=noopener, the web page suffers from a performance hit. If an anchor tag without rel is opened, the original webpage tab’s main thread activity is disrupted, which means that
  1. Any javascript running on that page would be disrupted
  2. Any selecting of the text will be janky
  3. Scrolling would be janky. And so on.
But with rel=noopener, everything keeps running smooth with 60fps.
Why does this performance glitch happen at all?
Most browsers are multi-process except Firefox, whose team is working on it. Each process has multiple threads, including what we call the “main” thread. This is where the parsing, style calculations, layout, painting, non-worker (browser UI) Javascript runs. This means that Javascript running on one domain (say fossbytes.com) runs on a different thread to a window/tab running another domain (say youtube.com).
However, due to synchronous cross-window access, the DOM gives us via
windows launched via target=”_blank” end up in the same process and thread! rel=”noopener” prevents window.opener so there’s no cross window access, hence the better performance!

Comments

Popular posts from this blog

Top 8 Best WhatsApp Tips And Tricks Of 2017

Top 8 Best WhatsApp Tips And Tricks Of 2017 M illions of people are using WhatsApp these days. It is as popular as Facebook, Twitter or Instagram. With millions of users, we can presume that most of the people at least use it once in a day. And everybody thinks that they know everything about WhatsApp. Maybe some of them do. But most of the people doesn’t, because technology won’t stop. There are always more tips and tricks which you can learn and use anytime. So that’s why today I am going to tell you about Top 8 Best And Cool WhatsApp Tips And Tricks which will definitely help you to become WhatsApp pro. So check out the Tricks in the description below. Top 8 Best WhatsApp Tips And Tricks Of 2017 1. Create Chat Shortcuts If you are chatting with 2 or 3 people at the same time on WhatsApp like with your girlfriend, wife, and with others, it won’t be easy to manage all those chats. So to make it easy, you can create conversation shortcuts to your home screen so that you don’t need to o...

Why Does 64-Bit Windows Need a Separate “Program Files (x86)” Folder ?

Why Does 64-Bit Windows Need a Separate “Program Files (x86)” Folder ? Why Does 64-Bit Windows Need a Separate “Program Files (x86)” Folder ? If you are currently running any version of 64-bit windows operating system, you might have noticed that there is two types of programs files. One is the regular program files and another one is programs files (X86). Well, in this article, I am going to delineate between these folders and help you to understand why Windows really need both of them. 32-bit and 64-bit Computers and Windows Since the mid of 90s, almost all PC were running on 32-bit Windows. But after the release of Windows 7, the sales of 64-bit Windows computer started and there were two programs files have installed in 64-bit Windows 7 computers. 64-bit PCs gained more popularity with times over 32-bit PCs. People will prefer 64-bit computers because they can handle much more RAM (memory) and they are generally faster because they use more advance...

A Lone Hacker Defaces The Google Brazil Domain, Google.com.br Unavailable To Brazilians

A Lone Hacker Defaces The Google Brazil Domain,  Google . com .br Unavailable To Brazilians Google . com .br was hacked by a lone hacker on Tuesday afternoon. The hacker left a deface page along with a message on the targeted Google Domain greetings his friends for the successful attack on such a highly reputed domain. This is the 2 nd  time in a week, when  Google . com .br has hacked after the Google Bangladesh website is hacked by Pakistani hackers. Here’s the full preview of the defaced page, “It was a great moment to die.” Hacked by Kuroi’SH! Too Google at once, I don’t even care; f**k the jealous hates such as Nofawkx. Two Google at once world record idgaf :D. Greets to my friends Prosox & Shinobi h4xor.” Google Brazil immediately tried to restore the hacked website, but unable to gain control as the domain. But now  Google . com .br is available to visitors. According to Brazil media reports, the Google Brazil users were getting the defaced message from Ku...