While we have fancy ways of opening new windows with modern web languages, it’s good to know you can rely on the “target” attribute on a hyperlink to get the job done. Except it’s one of the more straightforward ways of initiating a phishing attempt.
Image: Olli Henze / Flickr, licensed under Creative Commons 2.0
As developer Alex Yumas explains, in modern browsers the target="_blank" makes use of window.opener, which can be repurposed for malicious uses:
The page we’re linking to gains partial access to the source page via the window.opener object. The newly opened tab can then change the window.opener.location to some phishing page. Or execute some JavaScript on the opener-page on your behalf… Users trust the page that is already opened, they won’t get suspicious.
If you’re wondering when the likes of Google will get onto fixing this, well, you’ll be waiting a while:
Over the past few months, we have received a significant number of reports about a “reverse tabnabbing” attack, where a foreground tab opened from a trusted application, and displaying an attacker-controlled website, uses window.opener.location.assign() to replace the background tab with a malicious document. Of course, this action also changes the address bar of the background tab — but the attacker hopes that the victim will be less attentive and will blindly enter their password or other sensitive information when returning to the background task.
Unfortunately, we believe that this class of attacks is inherent to the current design of web browsers and can’t be meaningfully mitigated by any single website; in particular, clobbering the window.opener property limits one of the vectors, but still makes it easy to exploit the remaining ones.
We can’t do much about attackers purposefully setting up phishing sites and messing around with open windows, but you can give your own visitors piece of mind by adding rel="noopener noreferrer" to you window-opening hyperlinks.
Target=”_blank” – the most underestimated vulnerability ever [Medium]
Comments