Very popular Internet services are vulnerable to phishing attack because of the fact they are using the target=”_blank” attribute in their links.
The target=”_blank” attribute has been reported extremely dangerous many times in the past, as some of the reports even had very eye-catching titles like “Target=”_blank” – the most underestimated vulnerability ever”.
The whole process starts when a user clicks on a website`s link, which uses the target=”_blank” attribute. Then, the browser opens a new tab for the link to load, but also, it allows it to communicate with the original tab using a browser feature called the “window.opener API”.
Even though the communication is allowed only for a second, it is enough for the attackers to place a malicious code on the newly opened website. Crooks can also check the source of the click and make the original tab open a new URL.
For instance, if a user clicks on a Facebook link, using the attribute, the crooks are able to reload Facebook`s original page with a clone. Then the clone would ask the victim to relogin while stealing their credentials in the meantime.
Moreover, Facebook is not the only one major social network, exposing its users at risk. Developer Ben Halpern has identified popular websites, which are vulnerable to the “reverse tabnabbinb” attack and Instagram and Twitter also made the list.
Only Instagram has adverted Halpern`s report about the vulnerability and Twitter is at risk only if it is loaded through the Safari browser.
Google didn’t pay any attention to these “reverse tabnabbing” issues.
“Unfortunately, we believe that this class of attacks is inherent to the current design of web browsers and can’t be meaningfully mitigated by any single website, in particular, clobbering the window.opener property limits one of the vectors, but still makes it easy to exploit the remaining ones.” – said the company many years ago.
Google also said that, as a browser vendor, it has answered its capacity and webmasters and website owners are the ones who should deal with this issue
The easiest way to alleviate this kind of attacks is adding the “rel=”noopener” attribute” to all websites` links. Anyway, Mozilla Firefox doesn’t fully support that particular attribute, its developers should use the rel=”noopener noreferrer” in order to fix the issue.
However, Twitter`s way of dealing with the problem is the best one so far. It relies on scripts which automatically add the attribute. When it comes to that Twitter is only vulnerable via Safari and not any other browser, Halpern suggests that the reason might be a malfunctioning script.