14 DAY TRIAL // Some major Internet services are exposing their users to phishing attacks by using the target="_blank" attribute inside links in an unsafe manner.
There have been numerous reports in the past about the dangers of using the target="_blank" attribute, dating back to as far as 2014, and some even with attention-grabbing titles such as Target="_blank" - the most underestimated vulnerability ever.
The "reverse tabnabbinb" attack
The concept behind this flaw is that when users click on a link on a website that uses the target="_blank" attribute, the browser opens a new tab for the link, but also, for a very brief moment, allows the new tab to communicate with the original tab using a browser feature called the window.opener API.
An attacker can place malicious code on the newly opened website, check the source of the click, and force the original tab to open a new URL.
For example, if the user clicks a link on Facebook (which uses target="_blank"), the attacker could reload the original Facebook page with a clone that could later ask the user to relogin, collecting their credentials.
Instagram, Facebook, Twitter vulnerable to this attack
Developer Ben Halpern has identified major websites that are vulnerable to this flaw. The list includes Instagram, Facebook, and Twitter.
Of them, only Instagram has addressed the flaw following Halpern's report while Twitter is vulnerable via Safari only. Google has already said it does not care about this "reverse tabnabbing" issue.
"Unfortunately, we believe that this class of attacks is inherent to the current design of web browsers and can't be meaningfully mitigated by any single website," the company explained many years before, "in particular, clobbering the window.opener property limits one of the vectors, but still makes it easy to exploit the remaining ones."
Fixing the issue falls on website administrators
The company answered in its capacity as a browser vendor. In reality, fixing the issue falls on webmasters and website owners.
The simplest way to mitigate the attacks is to add the rel="noopener" attribute to all links embedded on a site. For Firefox, which does not fully support that attribute, developers should use rel="noopener noreferrer" instead.
Twitter's approach to this issue is the best way. The company uses scripts to add this attribute automatically. Halpern says that a malfunctioning script might also be to blame for why this attack works on Safari alone on Twitter links, and not other browsers.
Below is an animated GIF showing how the attack works.
