Tabnabbing is a phishing method in which attackers take advantage of victims’ unattended browser tabs. After hijacking an inactive tab and redirecting it to malicious URLs, an attacker can perform a phishing attack and execute scripts.

With reverse tabnabbing, on the other hand, attackers can actually rewrite the source page after a victim clicks a malicious link. Usually, this means replacing a source page with a phishing site before the victim navigates back to that original tab. Here, the redirection happens through links from the parent site to the attacker’s site.

These attacks can fool even an attentive user. Here’s how developers can take steps to prevent them.

How Does a Reverse Tabnabbing Attack Work?

A reverse tabnabbing attack begins when a victim clicks a link on a legitimate site. As the new tab opens, the attacker redirects the source page to a phishing page. After navigating back to that page, the victim thinks they are still on the right page. There, attackers can collect any credentials or sensitive data the victim enters into the decoy site.

Websites often contain external links, and if target= “_blank” is added to <a> element in HTML, the link will open in a new tab. The page linked through href might be either safe or unsafe. We do not know if the href link is a legitimate or malicious page since we have no control over it.

<a href=”page.site.com” target=”_blank”>

If a linked page is opened with target=”_blank” or by window.open() in Javascript, the linked page will have access to the same window.opener-property as the linking page. Thus, the linked page can set the property window.opener.location to any domain it wants.

Scroll to view full table

Let us check the following code snippet that contains an unsafe target blank implementation:

Vulnerable Page:

<!DOCTYPE HTML>

<html>

<head>

<title>Reverse Tabnabbing</title>

</head>

<body>

<a href=”evil.sample.com” target=”_blank”>Click me</a>

</body>

</html>

Malicious Site Code:

<!DOCTYPE HTML>

<html>

<body>

<script>

if (window.opener) {

window.opener.location = “https://phish.sample.com”;

}

</script>

</body>

</html>

Now let’s say the victim clicks on the vulnerable page link/button. The malicious site will then open in a new tab, and the target website in the inactive/last tab will be replaced by the phishing website.

The following <a href=”https://sample.com/” target=”_blank”>link</a> is vulnerable to reverse tabnabbing because it uses target=”_blank”.

This means the page that opens in a new tab can access the initial tab and change its location using the window.opener property.

Tabnabbing in Action

Let’s see this in a real-world attack scenario.

The victim has opened a social networking website called funchat.com in a browser window. They logged into the site and saw that someone had posted an offer on their wall: a great deal with a 30% discount on branded smartwatches!

The victim negligently clicks the link, which opens the eshop.com site with the offer in a new tab. However, Eshop is a malicious website that the attacker controls.

The attacker has written the code for his website like this:

<!DOCTYPE HTML>

<html>

<body>

<script>

if (window.opener) {

window.opener.location = “https://funnchat.com/login.php”;

}

</script>

<h1>AMAZING DEAL ON SMARTWATCHES!!</h1>

. . .

</body>

</html>

When the victim checks the fake offer, the malicious site forces the redirection of the victim’s original funchat.com opened tab to the fake website (funnchat.com) controlled by the attacker, which looks exactly like the funchat website’s login page.

The fake website’s login page appears and asks the victim to reenter the login credentials. Thinking they’re on the authentic site, the victim does not hesitate before entering their username and password.

The attacker has then stolen the victim’s login credentials.

Impact

This attack makes it quite probable for even a vigilant user to be lured into revealing confidential information. The user does not suspect their credentials have been stolen, simply believing they entered their password incorrectly on the fake login phishing page. The attacker can steal the victim’s login credentials and take over the victim’s account.

How to Prevent Reverse Tabnabbing

The following fixes can help prevent this attack:

1. Add the rel=“noopener noreferrer” Attribute to the Links

Add rel=”noopener noreferrer” to every <a> element that has the target set to “_blank”. Noopener ensures that the linked page does not have access to window.opener from the linking page. Noreferrer makes sure that the request referrer header is not being sent. Thus, the destination site will not see the URL the user came from.

<HTML Code>

<a href=https://evil.sample.com rel=”noopener noreferrer” target=”_blank”>click here</a>

If Javascript is being used, the same can be achieved by setting the opener-property to null.

var myNewWindow = window.open(url, name, ‘noopener,noreferrer’)
myNewWindow.opener = null

If the user-generated content is being shown on the page, then sanitize the input and apply “noopener noreferrer” to every link.

2. Implement the Cross-Origin-Opener-Policy Header

There is a new browser security feature called cross-origin-opener-policy (COOP). This feature can help prevent an attack where a malicious website calls “window.open” on the victim’s website and then redirects the victim to the attacker’s site.

Return the following HTTP response header from webserver. Browsers that support COOP will process-isolate the document, and attackers can’t access the victim’s site anymore:

Cross-origin-opener-policy: same-origin

3. Sandbox the Frames

Sandbox the frames to prevent the tabnabbing attack from websites loaded in an iframe. Sandboxing can be achieved by setting the attribute “sandbox” as:

<iframe sandbox=”allow-scripts allow-same-origin” src=”https://www.example.com”></iframe>

The sandbox attribute controls many things by default. Mainly, it prevents the framed website from redirecting its parent site.

Take Action Now

Reverse tabnabbing is a severe threat with major consequences, especially when attackers carry it out as a targeted phishing attack. Luckily, you can protect your website from this kind of attack by taking the following steps:

  1. Add the rel= “noopener noreferrer” attribute to the links on the website.
  2. Implement the cross-origin opener policy header.
  3. Add the sandbox attribute to iframes on the website.

Nowadays, browsers support multiple security features to prevent this kind of attack. However, the developer has to take preventive measures by implementing these security controls to protect legitimate users.

More from Risk Management

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read

Will Commercial Spyware Survive Biden’s Executive Order?

4 min read - On March 27, 2023, reports surfaced that 50 U.S. government employees had been targeted by phone spyware overseas. On the day of that report, President Joe Biden signed an executive order to restrict federal agencies’ use of commercial spyware. The timing of the order was linked to this specific phone-targeting exploit. But spyware infiltration of government officials — and by government officials — has been a recurring problem globally. Commercial spyware has long been entwined with statecraft and spycraft, both…

4 min read

How to Boost Cybersecurity Through Better Communication

4 min read - Security would be easy without users. That statement is as absurd as it is true. It’s also true that business wouldn’t be possible without users. It’s time to look at the big picture when it comes to cybersecurity. In addition to dealing with every new risk, vulnerability and attack vector that comes along, cybersecurity pros need to understand their own fellow employees - how they think, how they learn and what they really want. The human element — the individual and…

4 min read