Information security is a topic of growing importance in recent times and today is a necessary and essential aspect of our daily lives.Every day we learn of new attacks on organizations and in the midst of the pandemic they are happening more frequently than ever.While we know that the weakest link in information security is the end user, we are all responsible for preventing these malicious incidents. That’s why today I want to tell you about a little-known attack that developers can easily prevent: Reverse Tabnabbing.https://youtu.be/uOrHY5kRrP8If you are a developer and you want to add good practices for the development of secure applications this article is for you!
Reverse Tabnabbing: Definition
We are going to answer the question in the title of this article: What is reverse tabnabbing and why is it important to be aware of?Reverse tabnabbing is a technique that allows, through links, the redirection to a site from a parent site. It sounds like a mouthful, but it is very easy to understand: suppose we have Site A, which is a blog or social network, and someone posts a link with a target=”_blank” tag (often this tag is automatically placed in the links in the comments on these types of sites, since in most cases they are links to external sites), and with an href to Site B.From Site B, Site A could be redirected to a malicious Site C that has, for example, a login box identical to one on Site A.
The malicious site can only access the following properties from the opener Javascript object reference (that is in fact a reference to a window javascript class instance) in cases of cross origin (cross domain) access:
- Opener.closed: Returns a boolean value indicating whether a window has been closed or not
- Opener.frames: Returns all iframe elements in the current window
- Opener.length: Returns the number of iframe elements in the current window
- Opener.opener: Returns a reference to the window that created the window
- Opener.parent: Returns the parent window of the current window
- Opener.self: Returns the current window
- Opener.top: Returns the topmost browser window
Attack
Although Facebook was at one point susceptible to this misnamed vulnerability, it no longer is, but it will serve us very well as an example here. This type of attack is possible on those web pages that allow a user to make a persistent publication with a link, which is generally the case on social networks and blogs.The attacker publishes a link on their wall or in a chat box where several people can see it:
The site site.malicious.com will open in a new tab and display the offer, so the user may not notice anything awry, but at the same time the original Facebook tab is redirected to a fake login box from the social network, using the following code on site B.
The website https://phishing.malicious.com (Site C) could be easily created with the SET tool, which is a tool that allows a website to be cloned simply.It is generally used to clone a login page, which then redirects to the original site showing that the credentials are not valid. The user does not suspect that their credentials have been stolen, simply believing that they have entered their password incorrectly.
Solution
The good news is that it is very easy to correct the Reverse Tabnabbing problem and if you are a developer you can use it as a good practice when creating your links, because it is always beneficial and has no negative impact. Here you can see how we should create links to avoid this type of attack, just by adding the html rel attribute with the following parameters:
Although the tag rel=”noopener” should suffice, sometimes Firefox doesn’t support it, so we should also add rel=”noopener noreferrer” to be 100% covered.If we use javascript to open an external page via windows.open() we must always reset the opener property.
Finally it is recommended that you add the HTTP response header Referrer-Policy: no-referrer to every HTTP response sent by the application (Header Referrer-Policy information). This configuration will ensure that no referrer information is sent along with requests from the page.
Bonus
If you are a Firefox browser user, you can protect yourself from this type of attack by modifying its settings.As a user of this browser I personally recommend doing so, as you can avoid becoming a victim due to a small oversight. Here I explain how:
- Open a new tab and enter about:config
- Click on the “Accept the risk and continue” button.
- Search “dom.targetBlankNoOpener”
- Change the value to true and that’s it! You can now browse with peace of mind.
References
About the Author
Valentino Mantovani, is a Senior Software Programmer and IT security specialist with more than 10 years of experience. A person motivated by the challenge of learning to use new technologies to carry out a project.