Chrome To Block Tab-Nabbing Attacks (zdnet.com) 27
Google will deploy a new security feature in Chrome next year to prevent tab-nabbing, a type of web attack that allows newly opened tabs to hijack the original tab from where they were opened. From a report: The new feature is scheduled to go live with Chrome 88, to be released in January 2021. While the term "tab-nabbing" refers to a broad class of tab hijacking attacks [see OWASP, Wikipedia], Google is addressing a particular scenario. This scenario refers to situations when users click on a link, and the link opens in a new tab (via the "target=_blank" attribute). These new tabs have access to the original page that opened the new link. Via the JavaScript "window.opener" function, the newly opened tabs can modify the original page and redirect users to malicious sites. This type of attack has powered quite a few phishing campaigns across the years. To mitigate this threat, browser makers like Apple, Google, and Mozilla have created the rel="noopener" attribute.
Why is this attack even possibl in the first place (Score:3)
Re: (Score:3)
Re: Why is this attack even possibl in the first p (Score:3)
What "legitimate" site would need to use this feature? Really, I can think of none.
Playing games like this with the user is not "ligitimate" behavior.
Re: (Score:2)
The devs probably had to create it with some kind of framework where they had to do godawful tricks to make it do what they needed it to.
Re: (Score:2)
Horde web mail is one. When you open a new window to compose a message, it can interact with the application in the main window.
Re: (Score:1)
Chrome looks to be doing this via bug ID 898942:
https://bugs.chromium.org/p/ch... [chromium.org]
Why give access to the opener at all? (Score:5, Insightful)
Why isn't the default to not give access to the opener, and require the opener to declare that it wants to give the new tab access if it needs to? Requiring an extra declaration to close the hole means the hole isn't being closed until all web sites update their pages. And frankly I can't see any good reason for the new tab to have access to it's opener at all. Plenty of bad reasons, yes, but no good ones.
Re:Why give access to the opener at all? (Score:5, Informative)
For the same reason ActiveX stuck around for so long: backwards compatibility.
Hell, the company I work for still has an internal website that breaks if you have a popup blocker. In 2020.
You know, that thing that every browser does and has done for at least the past decade? Yeah, that completely breaks the site.
Given that there are pages that break with popup blockers in 2020, it's fairly safe to assume that there are a mess of internal websites that will never be updated to support any other changes.
It's part of the problem with deciding to just declare HTML 5 a "living standard:" you can't just make changes and have new pages opt into them, all changes affect everything, so there's no way to tell a page that was written for 2010 HTML 5 compared to 2020 HTML 5.
(The worst thing is that I'm pretty sure the internal website is provided by a third party partner, who made sure to update and remove all instances of Flash, but who still demands you disable any popup blockers. In 2020. And, no, I have not bothered figuring out why saying "allow this popup" that most browsers allow doesn't work, but it doesn't. You have to let it open a popup immediately or it doesn't work. In 2020.)
Re: (Score:3, Insightful)
Remember when Apple said "We're no longer doing flash" and to the protests they said "Tough shit"? More firms need to do that, as today's security is more important than yesterday's compatibility. If your page breaks, then that's too bad. Maybe you shouldn't have been such a snowflake when designing your site.
Re: (Score:3)
If your page breaks, then hire someone to fix it.
Re: (Score:3)
Re: (Score:2)
Great idea. I love it when other people keep telling me what I want and don't want, and insist it's all in the name of keeping me safe.
Re: (Score:2)
Flash consistently ran like shit on every computer I owned from early 2000 to 2016, it's a shit format, it's a dead format.
Re: (Score:2)
I always had a simple response when an internal web site broke like that and they requested changes to settings to keep it working: "I'm sorry, the current settings are the ones supplied by IT as standard and I can't just go randomly changing them. If you need changes to them, contact IT and have them arrange to include your requirements in the corporate configuration policies.". That usually stymies them, since IT's default response to requests like that is "Please justify the business need for your change
Re: (Score:2)
I was very upset when I heard they took version numbers out of the standard. That's like removing the concept of timestamps.
How about Facebook (Score:2)
Just my 2 cents worth.
First reaction from me (Score:2)
Why the hell would they even allow this?
We can't trust the developers of Javashit to not put in "features" that is guaranteed to screw over the user, evidence of which I have seen all too often.
Dare I say that Javashit itself should be classified as malware?
Re:First reaction from me (Score:5, Interesting)
It should be allowed if the opener is on the same domain -- it's easy to imagine uses for that. But I can't see a reason to allow the opened page to modify a different domain.
Re: (Score:3)
This should be the fix. Make this "noopener" thing the new default but make exceptions for the same domain. This way it should not break "legit" uses and should stop phishing attacks.
Re: (Score:2)
Why is the second document modifying the first document?
"Because they are really programs"
OK then why is the second program modifying the first program?
*crickets*
"Its OK because the two programs are stored on the same hard drive"
This shit was never a good thing, under any of the surrounding rhetoric you might try.
Re: (Score:3)
Today browser separation is key (Score:2)
1. Private browsing - Tor
2. Trusted browsing - Hardened Firefox - browsing trusted sites only, i.e. bank, bills, known and trusted pages. The only browser with external password manager.
3. Casual browsing - Hardened Firefox inside Firejail. Complete separation from the operating system, other processes and file system.
4. Chrome - Unrestricted but with annoyances off. Development only.
Thanks to this set up I can worry less about what I com
How about content pausing (Score:1)
Can they provide something to prevent awkward content pausing (used by some sites for ads or mandatory courses) when focus is switched away from the browser window? Usually sites base this on 'focus' and 'blur' events.
Unforeseen consequences (Score:2)
There are legitimate uses of linking parent and child windows. For example, you can go to a third party shopping site, click the PayPal link, and have the payment interaction happen entirely in a separate window. However that does not mean there are negative consequences, like this one.
What I see is that: web developers discover a new trick, it gets traction, over time browser developers embrace it into a standard, and then we realize how shortsighted it was in the first place, and scramble to close the sec