The upcoming stable release of Google Chrome will fix a major security loophole. Chromium developers are currently working to mitigate “tab-napping” attacks. It will enhance the security of web pages that open in a new tab or window. This feature will land in Google Chrome version 88, set to release on January 19, 2021.
What is a ‘tab-napping’ attack?
is the same attack. Whenever you click on a URL on a web page, it will either open in the same tab or a new tab/window, depending on the behavior specified by the authors of the website.
Similar to phishing, tab-napping is a deceptive attack. In this attack, threat actors will trick you into entering your login credentials, courtesy of malicious web pages. Websites can specify the target=“_blank” attribute to the URL they wish to open in a new tab. It directs Chrome or any web browser application to open the link in a new tab.
Due to a known security issue with the attribute, the newly opened page could redirect you to a different malicious URL using JavaScript.
For example, let’s assume that you have around 10-15 tabs opened in Chrome, and you click on a link to some interesting article. Now, the web page asks you to verify your Facebook or Gmail login credentials to proceed. It may not be a genuine web page but a phishing page designed to extract your login information, and you are more likely to enter your credentials since you did not open the link through an email.
Website authors can prevent new tabs from using JavaScript to redirect to a different URL, courtesy of the rel=”noopener” HTML link attribute. However, websites have to manually add the attribute to every link with the target=”_blank” attribute.
In his Chromium Gerrit commit, Microsoft Edge developer Eric Lawrence had this to say:
“To mitigate “tab-napping” attacks, in which a new tab/window opened by a victim context may navigate that opener context, the HTML standard changed to specify that anchors that target _blank should behave as if |rel=”noopener”| is set. A page wishing to opt out of this behavior may set |rel=”opener”|.”
A couple of years ago, Apple implemented this security mechanism to its Safari browser. As a result, Safari has been able to safeguard users against new tabs even if the website authors did not use the rel=”noopener” attribute. Apart from Chrome, this feature will also be part of Microsoft Edge.
