How to foil Web browser 'tabnapping'

Patches may never come, but you can take steps to stymie tab kidnapping

1 2 Page 2
Page 2 of 2

"Behind the scenes, [IE's] SmartScreen Filter also plays a role in combating this sort of hijacking attempt," said Microsoft's Bryant, talking about the anti-malware/anti-phishing filter IE included. "SmartScreen successfully blocks millions of views of malicious pages each month and would help protect the user in this situation."

Microsoft has commissioned NSS Labs to conduct several studies of filtering efficiency, most recently earlier this year. Not surprisingly, IE regularly comes out atop the chart in NSS Labs' ensuing reports, with Apple's Safari and Mozilla's Firefox far behind, and Google's Chrome and Opera Software's Opera even further back.

Other browsers have tools similar to SmartScreen. In Firefox and Chrome it's called "Phishing and Malware Protection;" Opera dubs its filter "Fraud Protection;" Safari doesn't give it a name, but simply offers a setting that reads, "Warn when visiting a fraudulent website" in the Security section of its Preferences settings.

Anything else I can do while I use my browser to stymie tabnapping? Yes, there is. Look at the URL in your browser's address bar before filing in any form or giving out any personal information. Unless the attackers are particularly clever and able to exploit a vulnerability or flaw to "spoof," or fake the URL, it won't match the bogus log-in screen.

That's your cue to close the tab immediately.

IE8 has a feature dubbed "Domain Highlighting" that helps here: The actual domain -- the part -- is highlighted in black, while the rest of the URL is grayed out.

Any add-ons I can try that will help? Of course. Whether they work or not is a different question.

NoScript, the premier script-blocking Firefox add-on, stops Raskin's proof-of-concept in its tracks, since his tabnapping relies on JavaScript. But it's not foolproof.

Israeli research Avi Raff has created code that circumvents NoScript's defenses in Firefox to kidnap a tab. Computerworld has confirmed that Raff's code produces a tab change even when NoScript's installed in Firefox.

What about password managers? Will they help here? They can.

Third-party browser password managers -- RoboForm on Windows, 1Password on Mac come to mind -- link saved log-in usernames and passwords to a specific URL. Assuming you saved the username and password while at the real site's log-in page, you're golden: The manager won't enter the username and password into a non-matching URL.

I've heard that Chrome isn't vulnerable. True? Nope. Although several sites initially reported that Chrome didn't fall for tabnapping -- Computerworld noted that Raskin's tactic worked some of the time on production editions -- it turns out that Google's browser had a bug that prevented kidnapping.

That bug was fixed in the Chrome developer preview build 6.0.408.1, said Raskin in a exchange of e-mails with Computerworld today. "Chrome is fully susceptible to this attack," Raskin wrote.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Shop Tech Products at Amazon