Skip to main content

What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?

What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?

What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?
What Is Target Blank Anchor Tag Phishing Attack? How To Prevent It?
Last September, Instagram fixed a big issue which is taken for granted by most of the frontend developers around the world. It’s the issue of putting a link with target=”_blank” attribute in an anchor tag to make it open in a new tab. There is a problem in how the browser behaves if one uses this for opening the link in a new tab.
It is because, when one clicks the link like this, the new tab that gets open has a
which points to the HTML document of the page from which the link was clicked. This means that once the user clicks the link, the new malicious page has full control over previous page’s document’s full window object!
is accessible across origins!
The attacker can leverage this, and while the link is opening in another tab, the attacker can redirect the original tab’s URL location to a phishing page in the background, designed to look like the real original page, asking for login credentials (now the origin security model of web prevents the attacker from reading the page). The user likely wouldn’t notice this, because the redirect happens in the background. This attack could be made even more subtle by adding a delay before redirecting to the phishing page in the background. This kind of attack is called reverse tab nabbing. 
If the attacker is targeting, it can leverage another kind of attacks to see if a user is logged into, for example, a banking service, which often requires re-authentication after a session gets expired after a few minutes. Combine this with Unicode Domain Names, and people would have absolutely no idea what hit them since even the last chance of theirs looking at the URL of the affected tab would have deserted them ( It’s possible that a user wouldn’t be attentive to notice the address bar, especially when he’s on mobile browsers, which sometimes hide the address bar while scrolling down).
However companies like Facebook and Twitter are reluctant to fix this issue, and why? Because Facebook says that although this is indeed a door to a phishing attack, it would also block websites from seeing which visitors came to their website from Facebook.
Facebook’s status as a top traffic director is a major source of its revenue, and profit for people who can monitor where their users are coming from, especially if they are paying Facebook to do so.
What did Facebook do? Facebook delimits the number of requests a given IP address can make to it each second, which keeps hackers from phishing users on a large scale. But that won’t stop websites from exploiting the vulnerability on a small scale or keep hackers from targeting individuals.
The makers of the browsers have to have an action on this. Why give a user access to the window object of the original web page at all?
For now, one can fix it by simply adding a rel=“noopener noreferrer” attribute in the anchor tag like this: 
(noreferrer needed for older browsers)
One could, instead use
by preventing the default action on click of a link, but facebook has found that it significantly reduces the amount of time that the new link takes to open in a new tab + it has some Safari issues. So. Na ah.
What is amazing on top of this is, without the rel=noopener, the web page suffers from a performance hit. If an anchor tag without rel is opened, the original webpage tab’s main thread activity is disrupted, which means that
  1. Any javascript running on that page would be disrupted
  2. Any selecting of the text will be janky
  3. Scrolling would be janky. And so on.
But with rel=noopener, everything keeps running smooth with 60fps.
Why does this performance glitch happen at all?
Most browsers are multi-process except Firefox, whose team is working on it. Each process has multiple threads, including what we call the “main” thread. This is where the parsing, style calculations, layout, painting, non-worker (browser UI) Javascript runs. This means that Javascript running on one domain (say fossbytes.com) runs on a different thread to a window/tab running another domain (say youtube.com).
However, due to synchronous cross-window access, the DOM gives us via
windows launched via target=”_blank” end up in the same process and thread! rel=”noopener” prevents window.opener so there’s no cross window access, hence the better performance!
Labels:

Comments

Post a Comment

Popular posts from this blog

How To Unblock Youtube To Watch Age-Restricted Videos

How To Unblock Youtube To Watch Age-Restricted Videos Today we are here with cool youtube tricks that is  How To Unblock Youtube To Watch Age-Restricted Videos . When you are in the country where some youtube videos is blocked you use VPN services where you have to go through the irritating ads from that VPN. Also there is a age restriction filter in youtube where you can’t see 18+ videos while you have proper proof to be 18+ to watch the vidoes. But this restriction can be removed with a cool youtube trick that will help you to watch any of your favorite youtube videos without any age or country restriction. So have a look on complete guide below to proceed. How To Unblock Youtube To Watch Age-Restricted Videos So read out the method where you will not need to login into youtube to watch that movies. You just have to follow some simple steps below to proceed with unblocking youtube for you. #1 Unblock Youtube Age-Restricted Videos Using URL Change First of all open youtube an...
Post a Comment
Read more

How to Get Android 6.0 Boot Animation On Your Android

How to Get Android 6.0 Boot Animation On Your Android oday we are here with cool android trick that is  How to Get Android 6.0 Boot Animation on Your Android . Android 6 is going to come soon and the development for this cool version of android is started and there are lots of tweaks that are now getting ready for this version of android. Android 6 will come up with all new feature that all users will love to have. And in this post we are going to discuss a way to have boot animation of Android 6(Marshmallow) in your android now. Follow up the complete guide below to proceed. How to Get Android 6 Boot Animation on Your Android In this tutorial you will be using a custom boot animation for your android device that will replace with your stock boot animation of your android device. And you will get latest boot animation of android v6.0. So follow up the steps below to proceed. Steps To Get Android 6.0 Boot Animation on Your Android First of all you need download  Marshmallo...
Post a Comment
Read more

KINGO ROOT v3.0 Cracked APK is Here! [Root Almost Any Android Device]

KINGO ROOT v3.0 Cracked APK is Here! [Root Almost Any Android Device] KINGO ROOT  Just like Kingroot Apk, Kingoroot is the best root tool to root your device.Just a few simple steps can get you a rooted device within minutes.Install it on your Android device, click to root and voila, it is done. Features  Constantly updating and improving root scripts in KingoRoot makes it powerful in every way. It achieved exact model matching and delivers the most possible solution for each device. Support almost all Android versions and Manufacturers customized devices. It perfectly covers Android 1.5 to 5.0 mainstream models from different manufacturers including Samsung, Google, HTC, Sony and every other android phones. What’s Cracked  AD-FREE How to Root ? Download the apk from the link given below. Install the apk. Click to root. Done, Enjoy your root 😀 Screenshots Download & Links  KINGO ROOT v3.0 Cracked APK   /  Mirror  (1.2 Mb) KINGO ROOT for Windo...
Post a Comment
Read more