Tabnabbing

Also known as: Reverse tabnabbing

An attack where a background or newly opened browser tab silently rewrites itself to look like a trusted login page, hoping the user returns and re-enters credentials.

Tabnabbing exploits the fact that inactive tabs are rarely watched. Classic tabnabbing uses JavaScript in a tab the user has navigated away from to change its title, favicon, and content so that it resembles a familiar service such as a webmail or banking site; when the user returns, they are likely to enter credentials. Reverse tabnabbing exploits target="_blank" links: a malicious page opened in a new tab uses window.opener to rewrite the original tab's URL toward a phishing page. Modern browsers default new target="_blank" links to rel="noopener", but legacy code may still be vulnerable. Defences include rel="noopener noreferrer" on outbound links, CSP, opening user-controlled URLs with noopener, and user awareness about checking the URL bar after switching tabs.

Examples

A tab the user left open quietly rewrites itself to resemble Gmail's login page and prompts for a password.
A link in a comment opens a new tab and uses window.opener to redirect the user's original tab to a phishing site.

Tabnabbing

Examples

Related terms

Clickjacking

Phishing

Open Redirect

Cross-Site Scripting (XSS)

Content Security Policy (CSP)

Watering Hole Attack

Definition

Examples

Related terms

Clickjacking

Phishing

Open Redirect

Cross-Site Scripting (XSS)

Content Security Policy (CSP)

Watering Hole Attack