Security News Adding target="_blank" to Your Links Opens the Door for Phishing Attacks

Exterminator

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Some major Internet services are exposing their users to phishing attacks by using the target="_blank" attribute inside links in an unsafe manner.

There have been numerous reports in the past about the dangers of using the target="_blank" attribute, dating back to as far as 2014, and some even with attention-grabbing titles such as Target="_blank" - the most underestimated vulnerability ever.

The "reverse tabnabbinb" attack
The concept behind this flaw is that when users click on a link on a website that uses the target="_blank" attribute, the browser opens a new tab for the link, but also, for a very brief moment, allows the new tab to communicate with the original tab using a browser feature called the window.opener API.

An attacker can place malicious code on the newly opened website, check the source of the click, and force the original tab to open a new URL.

For example, if the user clicks a link on Facebook (which uses target="_blank"), the attacker could reload the original Facebook page with a clone that could later ask the user to relogin, collecting their credentials.
Instagram, Facebook, Twitter vulnerable to this attack
Developer Ben Halpern has identified major websites that are vulnerable to this flaw. The list includes Instagram, Facebook, and Twitter.

Of them, only Instagram has addressed the flaw following Halpern's report while Twitter is vulnerable via Safari only. Google has already said it does not care about this "reverse tabnabbing" issue.

"Unfortunately, we believe that this class of attacks is inherent to the current design of web browsers and can't be meaningfully mitigated by any single website," the company explained many years before, "in particular, clobbering the window.opener property limits one of the vectors, but still makes it easy to exploit the remaining ones."

Fixing the issue falls on website administrators
The company's answer comes as a browser vendor. In reality, fixing the issue falls on webmasters and website owners.

The simplest way to mitigate the attacks is to add the rel="noopener" attribute to all links embedded on a site. For Firefox, which does not fully support that attribute, developers should use rel="noopener noreferrer" instead.

Twitter's approach to this issue is the best way. The company uses scripts to add this attribute automatically. Halpern says that a malfunctioning script might also be to blame for why this attack works on Safari alone on Twitter links, and not other browsers.
Click to expand...
 
  • Like
Reactions: Der.Reisende, DardiM, Logethica and 3 others
You must log in or register to reply here.

Similar threads

Ink
    • HaHa
    • Applause
    • Like
Twitter blocks links to Threads.net from appearing in Twitter searches
Replies
0
Views
437
News Archive
Ink
Ink
Bot
    • Like
Security News Iran-Linked MuddyWater Deploys Atera for Surveillance in Phishing Attacks
Replies
1
Views
903
Security News
LennyFox
L
Gandalf_The_Grey
    • Like
    • +Reputation
D-Link WiFi range extender vulnerable to command injection attacks
Replies
0
Views
1,156
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top