In mitigating the risk of the phishing attack variant, Google is following in the footsteps of Safari and Firefox
An upcoming update to the Google Chrome browser will tackle the risks associated with reverse tabnabbing attacks.
In a tweet dated November 9, Google developer Mike West wrote that Chrome version 88 and beyond would “match Safari and Firefox's behavior of treating target=_blank links as noopener by default”.
Chrome 88 is due to be released as a stable build on January 19, 2021.
On Chromium’s Gerrit collaboration page, developers note that the browser tweak will change HTML standards handling. Specifically, altering how the anchor target=_blank is managed will mitigate the risk of reverse tabnabbing attacks.
“Anchors that target _blank should behave as if rel=noopener is set,” the commit, created by Microsoft web program manager Eric Lawrence, reads.
Web admins who need to keep target=_blank can opt-out with rel=opener.
What is tabnabbing and reverse tabnabbing?
Tabnabbing is a phishing technique in which cyber-attackers take advantage of open but inactive browser tabs to change the URL of a page.
Reverse tabnabbing is similar but targets a source page. This variation of phishing occurs when a page linked to a target page can rewrite the original source – potentially by abusing the target=_blank HTML attribute – and replace a legitimate page with a malicious one before a user returns to their previous tab.
This may lead to stolen credentials if a victim falls for the phishing attempt.
Speaking to The Daily Swig, Lawrence said end-users should, hopefully, not notice any differences in their browser sessions when the change rolls out.
When it comes to the real-world risks of tabnabbing, Lawrence added, the impact is hard to quantify.
“It’s an easy attack to demonstrate and it makes for fun demos,” the developer commented. “But I don’t think there's any data that suggests that it was something that got attacked much in the real world.”
Lawrence said that as Firefox and Safari have already implemented this change, “there's reason to believe that this change probably will not break a ton of sites”.
However, just in case it does, the change has also landed with an Enterprise Policy control to allow administrators to opt-out “long enough to fix any of their broken sites”.
“The early web security model did not have isolation in a lot of places where it would’ve made sense,” Lawrence added. “This is one of them, so we’re painstakingly retrofitting in isolation where it makes sense.”