Tabnabbing new method for phishing.

Published: 2010-05-25
Last Updated: 2010-05-25 19:33:46 UTC
by donald smith (Version: 1)
5 comment(s)

New method for phishing discovered by Aza Raskin “creative” lead for firefox.
I had to run this thru google translation service and it did a decent job but not perfect.
I modified it somewhat based on my understanding of the issue.
There is a good flash video that shows how the attack works.

Here are the steps as outlined in the translated version of his description.

User navigates to your normal looking site.

The phishing site detects when the page has lost focus and it hasn't been interacted with for a while.

Replace the favicon on the tab with the Google favicon, the title with "Gmail: Email from Google", and the page with a Google log look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

The user scans their many tabs open, the favicon and title act as a strong visual cue and memory is malleable, moldable … and the user will simply think that they will most likely left a Gmail tab open. When they click back to the fake Gmail tab, they'll see the standard Gmail login page, assume they've been logged out, and provide their credentials to log in. When they click back to the Gmail tab fake, they'll see the standard Gmail login page, Assuming they've logged out, and provide their credentials to login. The attack preys on the perceived immutability of tabs.

Assuming the user had left a Gmail tab open where they had previously correctly authenticated. Also assuming the user has entered their login information and you've sent it back to your server, the phishing site can now redirect you to Gmail because they were never logged out in the first place, it will appear as if the login was successful.


5 comment(s)


I am not discounting the validity of this attack but it seems somewhat unlikely you're going to get someone to let a phishing page sit idle while they go surf another tab. I mean a hacker is generally trying to get someone to go to a site and DO something there for a phishing you have to hope they just lose interest in your phishing site and open a new tab to browse somewhere else? just doesn't seem like a very viable means of phishing.

not only that...I am pretty sure I am gonna notice if one of my tab fav icons changes suddenly while i'm sitting there.

now if i have walked away from my PC....that's a possibility I guess...

am I just missing something that would make this seem more prolific that it appears it would be?
While the reach of such attack might seem very low when thinking about phising, it take it full strength when added in those popular website infection kit, defacing official website without changing the visual aspect of them.

Add some automation like using reference URL, search term used to reach website and you already got clue what can be 'tab-jacked'.

Email account would probably be the highest successful one.

I'm a regular visitor of (and I'm Dutch).

However, instead of translating the page, you can read a similar English writeup at "the H" here:
(and in German here:

Note that all pages refer to the following (English) blog page:
A.Champ is right, the dutch article also refers to the attack as found by 'Aza Raskin'.

I see this happening: set up some innocent looking page, make sure it loads really slowly (or better, fake it with javascript to be sure), and then put the attack on that.

However, the url shown isn't changed, so that gives it away easily. Still, they only have to get a few users to make it worth their time if the site target has enough value per account.

Defenses... why does javascript need to be allowed to change the favicon?
While the automated use of this exploit might get more success with hotmail/gmail/twitter/facebook phish, there are other targeted use that could probably be very efficient.

Injecting JS to vulnerable forums/website related to a specific subject, without defacing it or hindering the user ability to use it to stay under the radar.

Example: Adding the JS sample to website related to a game, then faking that game official page or forum, with the JS when the user is tabbed elsewhere. Even better, simply push the JS script ads in a ads network and 'aim' specific website category.

On the corporate side, it could even be used when a partner or official website get injected/compromised. Even if that website doesn't require credential, if the JS fake some internal web-based tools, the success-rate might be interesting for the bad guy.

Diary Archives