New cyber attack, all browsers vulnerable: open tabs lead you to identity theft

This week a Firefox creative lead Aza Raskin reported a new form of attack dubbed “tabnapping” that allows hackers to easily lure users into providing their passwords by secretly changing already-open browser tabs. It was said that all major browsers on Windows and Mac OS X are vulnerable to this kind of attack.

Raskin pictured the scenario of the attack: people often leave many tabs open for long periods which makes the hacking task for the cyber crooks simple. After a user visits a malicious website hackers use JavaScript to quietly change the contents and label of an open-but-not-active tab to resemble the log-in screen of a bank or credit card company or Amazon.com or Gmail.

"As the user scans their many open tabs, the favicon and title act as a strong visual cue -- memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open," said Raskin, referring to his example of a spoofed Google Gmail log-in. "When they click back to the fake Gmail tab, they'll see the standard Gmail log-in page, assume they've been logged out, and provide their credentials to log in."

There's no need for the attacker to change the actual URL that shows in the browser's address bar, since the tactic banks on the trust that tabs can't suddenly mutate. "The attack preys on the perceived immutability of tabs," Raskin said.