Wednesday, June 2, 2010

Tabnabbing Madness

Great, so my favorite thing about next generation browsers, tabs, is now a security risk. Thanks a lot hackers, you guys are great. Basically what's going on is a group of jerks Firefox has figured out a way to make a tab that you have open APPEAR to be the tab you opened, but as though you logged out of whatever site you were looking at. Email, bank sites, ebay, whatever site you can think of. When you log back in, macho problems may occur.

Here's how it goes down:
You go to your Gmail, you login, you check your mail, delete some viagra emails and move over to your Facebook page. You leave gmail alone for a while, make a few comments about how funny your friend was when they fell in the pool yesterday, cruise back over to Gmail to see if you got any new messages from your peeps. What's this? You're signed out of Gmail? eh, that's normal, you sign back in. That's it, it's a done deal, they now have your gmail email address and password. What happened when you weren't looking was a little program was downloaded (likely without your knowledge) through javascript from a shady site, this program went to work either right after you switched tabs or even up to HOURS after you changed tabs. This little buggers codes the page to appear like you've been logged out, so when you go back to the site, "oh I need to put my password back in here...". Gmail opens up like it normally should and everything goes off without a hitch, because... YOU WERE NEVER LOGGED OUT.

The bottom line here is it's up to you to protect yourself. You need to be in charge of how your system runs and what you are viewing/doing online. The key to avoiding this security risk is always always always review what URL you are entering your password data into. That's it. When using computers connected to the Internet the rule of thumb has always been "constant vigilance." This is just one more thing to add into your mental check list you run through anytime something online looks suspicious.

Right now this is just a proof of concept the guys over a FireFox hammered out, we don't know that hackers are actually doing this yet. I get why FireFox is making note of it, they have a sweet add-on that should stop this from happening. It's called "Noscript". This add-on stops javascript from running hog wild, and requires the user to select the sites in advance that they would like to allow javascript to run on. Kind of a pain, but if you are to lazy for "constant vigilance" "Noscript" is a good answer. There will be a little set up using Noscript, you'll have to go through and pick out the sites you visit on a daily basis that you already trust. And you'll have to be aware of what sites you are viewing and who runs them in the future. You'll obviously want to add more sites into your list of acceptable Javascript sites, so there is some vigilance in there, but when using a computer connected to the Internet there's really no way around it.

For me this really isn't an issue, I don't have any money for hackers to steal anyway. *shrug*

Here's where I learned about this. Props to Ian and Alan for letting me know!

No comments:

Post a Comment