Sunday, May 30, 2010

Tabnabbing Without Javascript

    I recently came across a new type of phishing attack called tabnabbing. The attack works by using a client side script to detect when the user is not viewing the page, then changes the page content to a phishing page.

    This method desribed by Aza Raskin could be easily prevented by disabling Javascript. However, it is possible to perform the attack even if Javascript is disabled. Most browsers have the ability to refresh the page using a <meta> refresh tag. The page waits until presumably the user isn't looking at the tab any more, then changes the location of the page to one that resembles the true site (as shown in this proof of concept).

If you got to this post via the POC please note that the POC is not a phishing site and I DO NOT log ANY usernames or passwords.


  1. Yikes, that's even scarier than the one Aza posted. Really interesting stuff though.

  2. Nice demo, though would be more educational if you add "Evil page!" step after user clicks "Log me it".

  3. This comment has been removed by a blog administrator.

  4. Hi will you please tell us how to prevent this attack?


Have something you want to say? You think I'm wrong? Found something I said useful?
Leave a comment!