While we have fancy ways of opening new windows with modern web languages, it’s good to know you can rely on the “target” attribute on a hyperlink to get the job done. Except it’s one of the more straightforward ways of initiating a phishing attempt.
As developer Alex Yumas explains, in modern browsers the
target="_blank" makes use of
window.opener, which can be repurposed for malicious uses:
If you’re wondering when the likes of Google will get onto fixing this, well, you’ll be waiting a while:
Over the past few months, we have received a significant number of reports about a “reverse tabnabbing” attack, where a foreground tab opened from a trusted application, and displaying an attacker-controlled website, uses window.opener.location.assign() to replace the background tab with a malicious document. Of course, this action also changes the address bar of the background tab — but the attacker hopes that the victim will be less attentive and will blindly enter their password or other sensitive information when returning to the background task.
Unfortunately, we believe that this class of attacks is inherent to the current design of web browsers and can’t be meaningfully mitigated by any single website; in particular, clobbering the window.opener property limits one of the vectors, but still makes it easy to exploit the remaining ones.
We can’t do much about attackers purposefully setting up phishing sites and messing around with open windows, but you can give your own visitors piece of mind by adding
rel="noopener noreferrer" to you window-opening hyperlinks.