Chrome to block "tab-under" redirects by default

General discussion about web technology.

Chrome to block "tab-under" redirects by default

Postby barbaz » Wed Oct 04, 2017 9:34 pm

*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7105
Joined: Sat Aug 03, 2013 5:45 pm

Re: Chrome to block "tab-under" redirects by default

Postby Thrawn » Wed Oct 04, 2017 10:32 pm

I'd say that standard advice applies. If you've blocked a site, it can't do anything like this. If you've whitelisted it, it can redirect, but whatever site it redirects to will probably be blocked.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
User avatar
Thrawn
Senior Member
 
Posts: 3020
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

Re: Chrome to block "tab-under" redirects by default

Postby therube » Wed Oct 04, 2017 11:25 pm

Just how does one determine what is a "malicious" tab-under... popup... vs. one that is wanted?

So just like NoScript "blocks", & uBlock "blocks", & ... "blocks", there may be good or not so good consequences in doing so.


Removing the entries from dom.popup_allowed_events may help thwart such stuff.
But by the same token, there may be instances when such blocked actions are needed - on legitimate sites. So...

Typically what you might see is an attempt for something to open, but the action is squashed.


And even with that, there will always be a work-around to a work-around.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.1 Lightning/5.4
User avatar
therube
Ambassador
 
Posts: 6703
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Chrome to block "tab-under" redirects by default

Postby barbaz » Wed Oct 04, 2017 11:42 pm

Thrawn wrote:I'd say that standard advice applies. If you've blocked a site, it can't do anything like this. If you've whitelisted it, it can redirect, but whatever site it redirects to will probably be blocked.

True that. But the reason I ask is because NoScript has tabnapping protection (noscript.forbidBGRefresh) which can be set to work even on whitelisted sites. Just wondering if that can or should apply here?

therube wrote:Just how does one determine what is a "malicious" tab-under... popup... vs. one that is wanted?

Under what circumstances would you want a tab-under redirect?
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7105
Joined: Sat Aug 03, 2013 5:45 pm

Re: Chrome to block "tab-under" redirects by default

Postby Thrawn » Fri Oct 06, 2017 12:40 am

barbaz wrote:NoScript has tabnapping protection (noscript.forbidBGRefresh) which can be set to work even on whitelisted sites. Just wondering if that can or should apply here?

It certainly isn't the same case, since tab-unders happen in the foreground. Theoretically it would be possible for NoScript to introduce countermeasures, but it doesn't strike me as a security issue, only an advertising one.

The interesting thing about this is that it combines two perfectly normal link behaviors: opening a copy of the site in a new tab, and going to a new site. It's only when the two occur at the same time that it's almost certainly not what the user wanted.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
User avatar
Thrawn
Senior Member
 
Posts: 3020
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

Re: Chrome to block "tab-under" redirects by default

Postby barbaz » Fri Oct 06, 2017 2:07 am

Thrawn wrote:It certainly isn't the same case, since tab-unders happen in the foreground.

Thanks for the explanation!

Thrawn wrote:Theoretically it would be possible for NoScript to introduce countermeasures, but it doesn't strike me as a security issue,

So, for example, a tab-under redirect to a fake Gmail login page wouldn't be a security issue?

Isn't this just as dangerous as tabnapping, for the same reasons? -
http://www.azarask.in/blog/post/a-new-type-of-phishing-attack wrote:As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.

I'm glad Chrome (and hopefully Chromium) will do something about this, and I hope NoScript does too.

Should I start a new thread in the NoScript forums for this? Or re-title and move this one?
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7105
Joined: Sat Aug 03, 2013 5:45 pm

Re: Chrome to block "tab-under" redirects by default

Postby therube » Fri Oct 06, 2017 5:32 am

I would think NoScript could / should block popunders similar to BGRefresh.

Matter of fact... noscript.surrogate.popunder.*.
Now NoScript might need some tweaking...


See if we can get NoScript to block, https://github.com/sanosay/exads-adblock.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.1 Lightning/5.4
User avatar
therube
Ambassador
 
Posts: 6703
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Chrome to block "tab-under" redirects by default

Postby barbaz » Fri Oct 06, 2017 3:07 pm

therube wrote:See if we can get NoScript to block, https://github.com/sanosay/exads-adblock.

Sorry but I don't see how that's relevant?
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7105
Joined: Sat Aug 03, 2013 5:45 pm

Re: Chrome to block "tab-under" redirects by default

Postby therube » Fri Oct 06, 2017 4:57 pm

Well they've got popunder code there - that is in use by websites, that does cause "popunders" (tab-unders).

We have surrogates.

Maybe we can come up with a surrogate that thwarts those popunders?


NSFW (results returned):
https://www.google.com/search?q=ExoLoader.addZone%28{%22type%22%3A+%22popunder%22%2C+%22idzone%22%3A+%22222%22}%29%3B&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.1
User avatar
therube
Ambassador
 
Posts: 6703
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Chrome to block "tab-under" redirects by default

Postby barbaz » Fri Oct 06, 2017 6:53 pm

Not sure how a surrogate would reliably thwart a site that does the tab-under redirect immediately before opening the new tab.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7105
Joined: Sat Aug 03, 2013 5:45 pm

Re: Chrome to block "tab-under" redirects by default

Postby Thrawn » Sun Oct 08, 2017 10:53 pm

barbaz wrote:So, for example, a tab-under redirect to a fake Gmail login page wouldn't be a security issue?

Would it be any different to any other link taking you to a phishing site? NoScript doesn't try to be a general anti-phishing defence.

If I'm browsing random.com, I click on a link, and I seem to be at a Gmail login page, then there's no particular reason that that couldn't have been a perfectly ordinary hyperlink. If it's actually a phishing site, then putting it in a pop-under probably makes it less dangerous, since it waves a flag saying "This site is doing user-unfriendly things! Close their tabs!"
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
User avatar
Thrawn
Senior Member
 
Posts: 3020
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

Re: Chrome to block "tab-under" redirects by default

Postby barbaz » Mon Oct 09, 2017 12:15 am

Thrawn wrote:Would it be any different to any other link taking you to a phishing site?

Yep, because "any other link" would have to appear somehow related to Gmail (or whatever they're phishing) to avoid setting off alarm bells. With a tab-under, the link not only can point to something innocuous and totally unrelated to Gmail, you would actually end up with said innocuous page in front of you. So the only visual indicator that anything malicious is happening would be the tab bar...and only if you're lucky enough to spot the redirection as it's happening. Same as with tabnapping.

Thrawn wrote:If it's actually a phishing site, then putting it in a pop-under probably makes it less dangerous, since it waves a flag saying "This site is doing user-unfriendly things! Close their tabs!"

Only if the user is watching their tab bar like a movie.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7105
Joined: Sat Aug 03, 2013 5:45 pm


Return to Web Tech

Who is online

Users browsing this forum: No registered users and 1 guest