Page 1 of 1

Chrome to block "tab-under" redirects by default

Posted: Wed Oct 04, 2017 9:34 pm
by barbaz
https://www.bleepingcomputer.com/news/s ... -behavior/

(Does NoScript already block this crap?)

Re: Chrome to block "tab-under" redirects by default

Posted: Wed Oct 04, 2017 10:32 pm
by Thrawn
I'd say that standard advice applies. If you've blocked a site, it can't do anything like this. If you've whitelisted it, it can redirect, but whatever site it redirects to will probably be blocked.

Re: Chrome to block "tab-under" redirects by default

Posted: Wed Oct 04, 2017 11:25 pm
by therube
Just how does one determine what is a "malicious" tab-under... popup... vs. one that is wanted?

So just like NoScript "blocks", & uBlock "blocks", & ... "blocks", there may be good or not so good consequences in doing so.


Removing the entries from dom.popup_allowed_events may help thwart such stuff.
But by the same token, there may be instances when such blocked actions are needed - on legitimate sites. So...

Typically what you might see is an attempt for something to open, but the action is squashed.


And even with that, there will always be a work-around to a work-around.

Re: Chrome to block "tab-under" redirects by default

Posted: Wed Oct 04, 2017 11:42 pm
by barbaz
Thrawn wrote:I'd say that standard advice applies. If you've blocked a site, it can't do anything like this. If you've whitelisted it, it can redirect, but whatever site it redirects to will probably be blocked.
True that. But the reason I ask is because NoScript has tabnapping protection (noscript.forbidBGRefresh) which can be set to work even on whitelisted sites. Just wondering if that can or should apply here?
therube wrote:Just how does one determine what is a "malicious" tab-under... popup... vs. one that is wanted?
Under what circumstances would you want a tab-under redirect?

Re: Chrome to block "tab-under" redirects by default

Posted: Fri Oct 06, 2017 12:40 am
by Thrawn
barbaz wrote:NoScript has tabnapping protection (noscript.forbidBGRefresh) which can be set to work even on whitelisted sites. Just wondering if that can or should apply here?
It certainly isn't the same case, since tab-unders happen in the foreground. Theoretically it would be possible for NoScript to introduce countermeasures, but it doesn't strike me as a security issue, only an advertising one.

The interesting thing about this is that it combines two perfectly normal link behaviors: opening a copy of the site in a new tab, and going to a new site. It's only when the two occur at the same time that it's almost certainly not what the user wanted.

Re: Chrome to block "tab-under" redirects by default

Posted: Fri Oct 06, 2017 2:07 am
by barbaz
Thrawn wrote:It certainly isn't the same case, since tab-unders happen in the foreground.
Thanks for the explanation!
Thrawn wrote:Theoretically it would be possible for NoScript to introduce countermeasures, but it doesn't strike me as a security issue,
So, for example, a tab-under redirect to a fake Gmail login page wouldn't be a security issue?

Isn't this just as dangerous as tabnapping, for the same reasons? -
http://www.azarask.in/blog/post/a-new-type-of-phishing-attack wrote:As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
I'm glad Chrome (and hopefully Chromium) will do something about this, and I hope NoScript does too.

Should I start a new thread in the NoScript forums for this? Or re-title and move this one?

Re: Chrome to block "tab-under" redirects by default

Posted: Fri Oct 06, 2017 5:32 am
by therube
I would think NoScript could / should block popunders similar to BGRefresh.

Matter of fact... noscript.surrogate.popunder.*.
Now NoScript might need some tweaking...


See if we can get NoScript to block, https://github.com/sanosay/exads-adblock.

Re: Chrome to block "tab-under" redirects by default

Posted: Fri Oct 06, 2017 3:07 pm
by barbaz
therube wrote:See if we can get NoScript to block, https://github.com/sanosay/exads-adblock.
Sorry but I don't see how that's relevant?

Re: Chrome to block "tab-under" redirects by default

Posted: Fri Oct 06, 2017 4:57 pm
by therube
Well they've got popunder code there - that is in use by websites, that does cause "popunders" (tab-unders).

We have surrogates.

Maybe we can come up with a surrogate that thwarts those popunders?


NSFW (results returned):
https://www.google.com/search?q=ExoLoader.addZone%28{%22type%22%3A+%22popunder%22%2C+%22idzone%22%3A+%22222%22}%29%3B&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial

Re: Chrome to block "tab-under" redirects by default

Posted: Fri Oct 06, 2017 6:53 pm
by barbaz
Not sure how a surrogate would reliably thwart a site that does the tab-under redirect immediately before opening the new tab.

Re: Chrome to block "tab-under" redirects by default

Posted: Sun Oct 08, 2017 10:53 pm
by Thrawn
barbaz wrote: So, for example, a tab-under redirect to a fake Gmail login page wouldn't be a security issue?
Would it be any different to any other link taking you to a phishing site? NoScript doesn't try to be a general anti-phishing defence.

If I'm browsing random.com, I click on a link, and I seem to be at a Gmail login page, then there's no particular reason that that couldn't have been a perfectly ordinary hyperlink. If it's actually a phishing site, then putting it in a pop-under probably makes it less dangerous, since it waves a flag saying "This site is doing user-unfriendly things! Close their tabs!"

Re: Chrome to block "tab-under" redirects by default

Posted: Mon Oct 09, 2017 12:15 am
by barbaz
Thrawn wrote:Would it be any different to any other link taking you to a phishing site?
Yep, because "any other link" would have to appear somehow related to Gmail (or whatever they're phishing) to avoid setting off alarm bells. With a tab-under, the link not only can point to something innocuous and totally unrelated to Gmail, you would actually end up with said innocuous page in front of you. So the only visual indicator that anything malicious is happening would be the tab bar...and only if you're lucky enough to spot the redirection as it's happening. Same as with tabnapping.
Thrawn wrote:If it's actually a phishing site, then putting it in a pop-under probably makes it less dangerous, since it waves a flag saying "This site is doing user-unfriendly things! Close their tabs!"
Only if the user is watching their tab bar like a movie.