I got very concerned reading this genius post by Aza Raskin.
What are the non-browsers solutions to defend against TabNabbing? Are there any?
A:
Like he suggests, use the password manager. There are quite a few other problems that can happen if you type your password every time. For sites that the password manager doesn't work, you're screwed. Client certificates ftw.
Longpoke
2010-06-19 23:47:30
In my country, most online banks use a digital keyboard to secure against most keyloggers. This makes it impossible to use the password manager. What do you mean by client certificates?
Alix Axel
2010-06-20 00:01:57
@Alix Axel: X.509 client certificates. What you mean by digital keyboard? Typing a password into a web interface? My bank makes me do that too, and it restricts you to 8 character alphanumeric password. Too bad for them.
Longpoke
2010-06-20 00:23:03
I mean this: https://caixadirecta.cgd.pt/CaixaDirecta/loginStart.do and this: https://www.mbnet.pt/servlet/pvtn?TRN=NH45701F00. The former is the our national bank (about 5M customers) luckily they require a matrix code (https://caixadirecta.cgd.pt/StaticFiles/images/Caixa%20Directa%20Online/CartaoCEB.jpg) to make any operations, so stealing the user/pass would only get you read access. The latter is more critical: it's connected to the national ATM network and generates virtual credit cards while requiring only the username and password (only the password is subject to the virtual keyboard).
Alix Axel
2010-06-20 01:04:00
why so -1?`````
Longpoke
2010-06-20 20:49:53
+1
A:
One thing that will prevent this sort of thing from happening is two factor authentication using something like an RSA token (unfortunately only one bank in this country provides this method).
The RSA token is a little USB stick sized gadget that has a continuously changing serial/sequence number on it, and it is issued to you (each stick has a different sequence of numbers). When you logon to your bank's website, you have to supply you log/pass, and also the current number on the RSA token - that number changes every two minutes. That means that if the bad guys collect your login details they have less than two minutes to login to your account before the current RSA sequence number changes and the captured login details become impossible to reuse.
This 2 factor authentication is not the silver bullet though, i don't see Google rolling this out for your random Gmail account, and neither will Facebook. It should be mandatory for financial institutions and online government departments, this will cut the scope of this type of attack. It is a commonly used protection mechanism for remote access to company website portals and remote network logins, and it is quite successful for this.
This still hasn't answered your question though - how can you as an website author or owner prevent this? You can't, unless you don't run third party scripts, and regularly check your pages to make sure you haven't been compromised and had a script inserted. You should never consider trying to scan any third party scripts, because they can be obfuscated to an incredible degree which you can't possibly scan for. If you do run third party scripts and feel strongly enough about this, then you might want to setp a machine which all it does is automated UI tests on your web site - it is an easy enough thing to set up with some basic tests and just leave it testing your live site every 30 or 60 minutes looking for unexpected results.
slugster
2010-06-20 01:01:20
Two factor authentication is awesome, but regarding your answer having 3rd party scripts is only half of the problem the way I see it, what if StackOverflow for instance replaced it's UI with a Gmail Login UI and scrambled the URL to make it look like GMail?
Alix Axel
2010-06-20 02:25:29
This should be the norm for important stuff. Fortunately Blizzard has this implemented for World of Warcraft, important stuff!
mxmissile
2010-06-20 05:21:53
2 factor authentication is not going to help. An attacker website could morph into a bank website and then act as a proxy. The user will enter the security token + username/password, and will in-turn get to his account details. In the process, the attacker website has complete access to the users session. This can even bypass things like captcha, or personalized messages.
sri
2010-06-20 09:07:47
@sri: It should work like this: 1. The bank sends a cryptographic challenge, as well as provides cryptographic proof of its identitiy as well as establishes a TLS session 2. You get the challenge and the identity. **only after** verifying the identity, you sign the challenge and respond with it through the secured channel. 3. The server and you are now both verified. Step 2 is done by software (ie: the browser), there is no human intervention.
Longpoke
2010-06-20 20:49:37
@Alix, you are correct there is nothing to stop a "normal" website from having this attack baked in as part of the site, but this is deviating from the OP's tabnabbing attack into a straight phishing attack. 2FF Authent is not the total answer just part of it, because it drastically reduces the window of opportunity that the bad guy has to use the stolen credentials. No longer can he just log the info and then on-sell it to another party to use or keep it for himself to use at a later date, because it has to be used straight away.
slugster
2010-06-20 21:40:22
A:
I just visited the page which you mention and my free virus checker (AVG) immediately detected a threat (I presume that he has an example on the page) and warned me of a Tabnapping Exploit.
So that's one, easy, possibility
LeonixSolutions
2010-06-20 01:10:04
No, depending on antivirus for anything is silly. AVG probably just hardcoded that address since it's popular, to make it look as if they have some magic fake page detector so more people install->buy AVG. In any case, I find it hard to believe that they did something that stupid.
Longpoke
2010-06-20 01:19:14
he has the script running on his page, after reading the article I left my browser open, after coming back to my pc, the title said gmail etc, however the screen was blank
mxmissile
2010-06-20 05:23:44
@mxmissile @Alix Axel It's there for demonstration. He could have implemented the real Gmail interface if he wanted to.
Longpoke
2010-06-20 20:34:12
+2
A:
"Tab Nabbing" is not a new attack, Mr Raskin is ripping off other researchers work. PDP from GnuCitizen discovered this back in 2008.
The biggest threat as I see it is Phishing. To be honest I don't think there is a good solution to stop phishing. This particular issues I think should be fixed by the browser. Eventually Firefox and Chrome will get around to fixing it. To be honest SSLStrip is a bigger threat that all browsers face, which can be used along side this redirection attack. Currently chrome has a fix in the form of STS and Firefox in the form of HTTPs Everywhere. Using noscript will also help mitigate this redirection attack attack.
Rook
2010-06-20 20:31:36
For anyone who actually wants to know what STS is see here: http://en.wikipedia.org/wiki/Strict_Transport_Security It's worth noting that STS doesn't stop this attack unless the `max-age` portion of STS header is set to a very high value, it would be better if it had an infinite value, seeing as I don't want to _ever_ access my bank without TLS within my lifetime. Additionally, the browser should keep the STS cache in a persistent storage (ie: the disk), but the STS spec doesn't mandate this, hopefully all browser vendors use common sense and do that.
Longpoke
2010-06-21 14:32:58
@Longpoke sts is better than nothing (IE, Safari, Opera have no protection). Although I think that https everywhere is a better approach.
Rook
2010-06-21 15:21:17
ofcourse it's better than nothing if used right, it should be mandatory, maybe browsers could ship with an STS cache too, to prevent attacks at bootstrap. also I don't see how Raskin is ripping anyone off, as "tabnabbing", like most phishing attacks are pure common sense.
Longpoke
2010-06-21 15:41:58
@Longpoke "tab nabbing" (stupid name) is actually a bit more complex than your usual phish, you should see Raskin's video if you are interested. Although its not a very serious issue its pretty tricky and I could see how it would fool people, so if I where project lead of a browser I would make sure it was fixed. SSLStrip is a cooler attack.
Rook
2010-06-21 15:56:12
How is it not a very serious issue? 100% minus an infinitesimal number of users will _never_ look at their address bar (and if they do, you can just make a lookalike Unicode domain). Indeed, it's almost impossible for even a user who knows what he's doing to know the tab is fake short of checking over the source code of the site. Checking for the SSL symbol is a little easier, but not all sites _have_ SSL. Solving this problem implies solving SSLStrip anyways.
Longpoke
2010-06-21 16:16:33
@Longpoke If this redirection attack where a serious issue then this would have gotten fixed 2 years ago. It will be fixed eventually and it probably will never get a CVE number. Also some of the attacks used in SSLStrip have been fixed, most importantly the null byte poising, as well as the punycode domain name spoofing vulnerability.
Rook
2010-06-23 23:43:19
@The Rook: Assembly level vulnerabilities are a serious threat, they haven't been fixed after 9000 years even though the fix is dead simple (provide a verified processor that runs JVM bytecode [inb4 "too slow" IDC, all I do is edit docs that I prefer not to have stolen]). Dunno what "null byte poisoning" has to do with this, I was referring to stripping the HTTPS session and replacing with an HTTP (hence the name SSLStrip). I guess your definition of a serious issue isn't something that affects over 99% of users.
Longpoke
2010-06-24 02:26:09
I never heard of the IDN whitelist before (I always wondered why Firefox gives broken behavior with Unicode domains :), I guess that sort of mitigates the Unicode domain lookalikes, not really a real fix though...
Longpoke
2010-06-24 02:26:48
@Longpoke That is one feature of sslstrip, but moxie marlenspike's attack was a bit more complex. You should see his blackhat 2009 talk, the video is up on the sslstrip site.
Rook
2010-06-24 02:46:17