Chrome to block "tab-under" redirects by default
Posted: Wed Oct 04, 2017 9:34 pm
NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/
True that. But the reason I ask is because NoScript has tabnapping protection (noscript.forbidBGRefresh) which can be set to work even on whitelisted sites. Just wondering if that can or should apply here?Thrawn wrote:I'd say that standard advice applies. If you've blocked a site, it can't do anything like this. If you've whitelisted it, it can redirect, but whatever site it redirects to will probably be blocked.
Under what circumstances would you want a tab-under redirect?therube wrote:Just how does one determine what is a "malicious" tab-under... popup... vs. one that is wanted?
It certainly isn't the same case, since tab-unders happen in the foreground. Theoretically it would be possible for NoScript to introduce countermeasures, but it doesn't strike me as a security issue, only an advertising one.barbaz wrote:NoScript has tabnapping protection (noscript.forbidBGRefresh) which can be set to work even on whitelisted sites. Just wondering if that can or should apply here?
Thanks for the explanation!Thrawn wrote:It certainly isn't the same case, since tab-unders happen in the foreground.
So, for example, a tab-under redirect to a fake Gmail login page wouldn't be a security issue?Thrawn wrote:Theoretically it would be possible for NoScript to introduce countermeasures, but it doesn't strike me as a security issue,
I'm glad Chrome (and hopefully Chromium) will do something about this, and I hope NoScript does too.http://www.azarask.in/blog/post/a-new-type-of-phishing-attack wrote:As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
Sorry but I don't see how that's relevant?therube wrote:See if we can get NoScript to block, https://github.com/sanosay/exads-adblock.
Would it be any different to any other link taking you to a phishing site? NoScript doesn't try to be a general anti-phishing defence.barbaz wrote: So, for example, a tab-under redirect to a fake Gmail login page wouldn't be a security issue?
Yep, because "any other link" would have to appear somehow related to Gmail (or whatever they're phishing) to avoid setting off alarm bells. With a tab-under, the link not only can point to something innocuous and totally unrelated to Gmail, you would actually end up with said innocuous page in front of you. So the only visual indicator that anything malicious is happening would be the tab bar...and only if you're lucky enough to spot the redirection as it's happening. Same as with tabnapping.Thrawn wrote:Would it be any different to any other link taking you to a phishing site?
Only if the user is watching their tab bar like a movie.Thrawn wrote:If it's actually a phishing site, then putting it in a pop-under probably makes it less dangerous, since it waves a flag saying "This site is doing user-unfriendly things! Close their tabs!"