How to foil web browser 'tabnapping'
By Irene Warui
A new, incredibly sneaky identity-theft tactic surfaced earlier this week when Mozilla unveiled what’s become known as 'tabnapping.'
Tabnapping — from the combination of "tab" and "kidnapping" — could be used by phishers to dupe users into giving up passwords by secretly changing already-open browser tabs. All browsers on Windows and Mac OS X are vulnerable.
Aza Raskin, the creative lead of Firefox, says an open tab of Facebook for instance may be a false window. But very few of us may notice. As a result, we readily log in our username and password when prompted, only to fall to phishers.
Tabnapping isn’t in with us yet, but it is certainly going to be next genre of cyber crime. What can you do if tabnapping shows its face?
READ MORE
Kenya slashes dollar debt to record low as Chinese yuan gains ground
Government plans stricter laws to clean up tea sector
Tourism earnings hit record Sh500 billion as arrivals near 8m
Kakamega youth, women eye avocado export cash after skills training
Portable kitchen: Designer taps into space-saving trend
Kenya urged to pilot AI regulatory Sandbox in bid to lead Africa's digital future
MPs pledge site visist as KTDA gives progress on hydro power project
Why Gen Zs are not sending money to parents
Don’t log-in on a tab that you haven’t opened yourself. Tabnapping banks on you trusting that you opened the tab — and that the site simply timed out. If you see a tab that contains a seemingly legit log-in form, close it, then head to the site yourself in a new tab.
It is unlikely that browser makers will patch this up soon the risk does not emanate from security vulnerabilities per se.
However, every major browser has a filter of some kind designed to weed out malicious sites and sites suspected of being infected with attack code. Those filters, assuming the blacklists underlying them are current and accurate, would block tabnapping attacks.
To kidnap tabs, a hacker has to get his tab-mutating code onto your machine somehow. Every time you include a third-party script on your page, or a Flash widget, you leave yourself wide open for an evildoer to use your site as a staging ground for this kind of attack. So the best defense browsers can currently manage is to warn you of potential attack sites before you reach them. That’s where filtering comes in.
Combating hijacking
Internet Explorer’s SmartScreen Filter also plays a role in combating this sort of hijacking attempt. SmartScreen blocks millions of views of malicious pages each month and would help protect users against tabnapping.
Other browsers have tools similar to SmartScreen. In Firefox and Chrome, it’s called "Phishing and Malware Protection. Opera dubs its filter Fraud Protection, Safari doesn’t give it a name, but simply offers a setting that reads, ‘Warn when visiting a fraudulent website’ in the Security section of its Preferences settings.
To stymie tabnapping, look at the URL in your browser’s address bar before filing in any form or giving out any personal information. Unless the attackers are particularly clever and able to exploit a vulnerability or flaw to "spoof," or fake the URL, it won’t match the bogus log-in screen.
The writer (irene@isolutions.co.ke) is Sales Accounts Manager with Isolutions Associates, a Network Security Consultancy Firm.