back to article Tabnapping attack baits phishing trawl

A leading developer of Firefox has warned of a sneaky potential new form of phishing attack. Aza Raskin, the creative lead for Firefox, explains that the approach exploits the fact that most surfers keep many tabs open during a browsing session, without really keeping track of what sites they have visited. The so-called …

COMMENTS

This topic is closed for new posts.
Silver badge

Opera

Opera, presumably without any knowledge of this particular attack seeing as I'm not using a "snapshot" version, just the last regular update, does the best that you can expect - the title bar changes to "Gmail" (but then you can hardly regulate titlebar changes!) but the printed URL in the address bar and the favicon stay identical to the version which "loaded" originally.

Though it is more interesting than most of these techniques, again it only fools the unwary who have been and always will be at risk because they don't bother to check things properly. If people don't check for padlocks / green security bars / etc. then they are stuffed anyway. 99% of people *don't*. And if you just ignore security certificate warnings or click Yes, then you're stuffed too.

Follow the oldest rules of all: If you want to log in to GMail, type in www.gmail.com into your browser. Don't click a link. If something asks you to "login again", check it thoroughly, no matter if you "thought" you were logged in already. (Incidentally, the latest Opera stable plays merry hell with the Register logins and I'm constantly being asked to re-log-in).

About once every six months or so GMail asks me to log in again, and that freaks me out and I have to check why. And even the Google Adsense thing (which asks you to login but also has a "Click here if you're a Google Account user" link) arouses my suspicions immediately because I should damn well already be logged in so the sight of some login boxes makes me suspicious.

And those people who *don't* work like that should be using their browser's privacy features like autologin on sites because that way their details WON'T be automatically plugged in on anything but the sites they were intended for, and hence you will "spot" these problems quicker.

It's interesting, will likely catch a LOT of people out, but it's nothing that hasn't always been possible, and nothing you can really "fix" except by whacking people around the earhole.

0
0

NoScript...

... seems to block this attack. Does this mean I don't need to worry about it?

1
0
Anonymous Coward

asd

NoScript will block this kind of attack as long as you don't allow scripts on the "bad" host, but if someone hacked a trusted site, then this type of attack wont be blocked.

3
0
Bronze badge
Go

@shuckie

> NoScript seems to block this attack. Does this mean I don't need to worry about it?

Only if you do indeed run NoScript, glasshopper.

0
0
Silver badge
FAIL

Doesn't work here

The RequestPolicy extension prevents this attack working properly, when it tries to display the GMail stuff all I get is a blank page.

1
0
Silver badge
Unhappy

Bah!

The case for Getting Rid Of JavaScript Altogether (G-ROJA) is getting stronger and stronger.

Ban it now. Turn it off in your browser and deal with the problem of JavaScript-based attacks by dealing with the attack vector at source.

Any other scheme is treating a symptom instead of the root cause of the malady.

"But my websites will have less shiny" you say.

"A proper web design doesn't need stupid client side tricks to get you to interact with the site, and you sure as hell don't need this pox-causing language *or* the nitwit "programs" that are written in it on your computer in order to buy shoes, books or tat off eBay" sezzeye.

Ban JavaScript now, before some Chechnyan mastermind has your bank account password.

Ban JavaScript now before your credit card goes to China without you.

Ban JavaScript now because it emboldens the terrorist.

You know it makes sense.

1
0
Silver badge

Redirections are evil anyway

just block them.

1
0
This topic is closed for new posts.

Forums