'Tabnabbing' attack can steal passwords

A top Firefox programmer has figured out a scary new way to carry out phishing attacks, this time using browser tabs.

Aza Raskin, who was appointed Firefox's creative lead in March, has designed a JavaScript-based social engineering exploit that replaces one page with a mock-up of another while the victim is distracted elsewhere.

The attack could be used to harvest user names and passwords for banks, email accounts, or any other type of web site.

The trick relies upon the fact that surfers often have several browser tabs open simultaneously, and may forget what page they have open in a given tab.

An attacking page waits for the user to lose focus on the page, by opening another tab or application. It then uses JavaScript to change the contents of the page to mimic, say, a bank's login page.

It also changes the title and favicon as it appears in the browser, making it even more difficult to notice that the tab is still actually displaying an attacker-owned page.

The only way for the average user to tell the difference is to check that the URL in the browser address bar is legit.

Raskin's blog post explaining the attack also implements it (albeit with a non-functional Gmail login page). We've seen it doing its dirty deeds in Firefox, Internet Explorer and Safari. It's pretty unnerving.