Tabnabbing
What is Tabnabbing?
TabnabbingAn attack where a background or newly opened browser tab silently rewrites itself to look like a trusted login page, hoping the user returns and re-enters credentials.
Tabnabbing exploits the fact that inactive tabs are rarely watched. Classic tabnabbing uses JavaScript in a tab the user has navigated away from to change its title, favicon, and content so that it resembles a familiar service such as a webmail or banking site; when the user returns, they are likely to enter credentials. Reverse tabnabbing exploits target="_blank" links: a malicious page opened in a new tab uses window.opener to rewrite the original tab's URL toward a phishing page. Modern browsers default new target="_blank" links to rel="noopener", but legacy code may still be vulnerable. Defences include rel="noopener noreferrer" on outbound links, CSP, opening user-controlled URLs with noopener, and user awareness about checking the URL bar after switching tabs.
● Examples
- 01
A tab the user left open quietly rewrites itself to resemble Gmail's login page and prompts for a password.
- 02
A link in a comment opens a new tab and uses window.opener to redirect the user's original tab to a phishing site.
● Frequently asked questions
What is Tabnabbing?
An attack where a background or newly opened browser tab silently rewrites itself to look like a trusted login page, hoping the user returns and re-enters credentials. It belongs to the Attacks & Threats category of cybersecurity.
What does Tabnabbing mean?
An attack where a background or newly opened browser tab silently rewrites itself to look like a trusted login page, hoping the user returns and re-enters credentials.
How do you defend against Tabnabbing?
Defences for Tabnabbing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Tabnabbing?
Common alternative names include: Reverse tabnabbing.