You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Here I can see you are using target=_blank and no more rel-tag.
Here, target=_blank means it will open in another new tab but due to tab nabbing it can change the parent tab as well. So as per the security principle don't trust much on 3rd party and be on your safe side.
FIX & MITIGATION :To mitigate this issue we need to use rel="nofollow noopener noreferrer" as follows:
Tab Nabbing Exploit:
Whenever you open a new tab by clicking a link whose HTML code looks like this, JavaScript will keep a reference to the window object of the site that opened the tab: Blog
You are not allowed to read the location of the site that opened the tab, whether the rel = "noreferrer" attribute is set or not. However, what you can do is change the location of the opener by using the following JavaScript code:
window.opener.location = 'https://attacker.com/phishing';
The victim looks at the attacker.com page and then goes back to the previous tab containing a phishing page that looks exactly like https://example.com/, but prompts the victim to enter their login details again
This makes a phishing attack much more effective, because the user is not expecting such behaviour and thinks they are still on the original page ('tabnabbing'). The way to thwart this attack is to use rel = "noopener", though rel = "noreferrer" has the same effect.
It's interesting how such a small parsing mistake can have such a huge impact on the security of an application.
In this report I have only talked about twitter but you have to use rel="nofollow noopener noreferrer" in all the external links present in your website.
Hi team,
I am a security researcher and I found this vulnerability in your website: https://www.phoenixdao.io/Vulnerability report: Reverse Tab Nabbing Attack
`
Issue lies Here :<a href="https://twitter.com/KG_CryptoCat" target="_blank">
Here I can see you are using target=_blank and no more rel-tag.
Here, target=_blank means it will open in another new tab but due to tab nabbing it can change the parent tab as well. So as per the security principle don't trust much on 3rd party and be on your safe side.
FIX & MITIGATION :To mitigate this issue we need to use rel="nofollow noopener noreferrer" as follows:
<a href="https://twitter.com/KG_CryptoCat""nofollow noopener noreferrer" target="_blank">
Proof of concept: "https://www.instagram.com/loc.game/"
Tab Nabbing Exploit:
Whenever you open a new tab by clicking a link whose HTML code looks like this, JavaScript will keep a reference to the window object of the site that opened the tab:
Blog
You are not allowed to read the location of the site that opened the tab, whether the rel = "noreferrer" attribute is set or not. However, what you can do is change the location of the opener by using the following JavaScript code:
window.opener.location = 'https://attacker.com/phishing';
The tabnabbing attack would happen as follows:
The victim clicks a link on https://example.com/ containing target = "_blank", which leads to https://attacker.com/
https://attacker.com/ immediately redirects the tab where https://example.com/ is located to https://attacker.com/phishing
The victim looks at the attacker.com page and then goes back to the previous tab containing a phishing page that looks exactly like https://example.com/, but prompts the victim to enter their login details again
This makes a phishing attack much more effective, because the user is not expecting such behaviour and thinks they are still on the original page ('tabnabbing'). The way to thwart this attack is to use rel = "noopener", though rel = "noreferrer" has the same effect.
It's interesting how such a small parsing mistake can have such a huge impact on the security of an application.
In this report I have only talked about twitter but you have to use rel="nofollow noopener noreferrer" in all the external links present in your website.
Refrences:
1: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/2: https://developers.google.com/web/tools/lighthouse/audits/noopener
3: https://mathiasbynens.github.io/rel-noopener/
I Hope you will fix this issue as soon as possible. Looking forward to hear from you. Thank You
Regards,Lianna john
The text was updated successfully, but these errors were encountered: