Phishing Emails – The Web Vulnerability Nobody Talks About

9th September 2016 - 3 Min. Read

It’s a common practice for websites to open external links in a new tab. If you use the target=”blank” attribute with links, it’s highly likely that your users are vulnerable to a very simple yet dangerous phishing email attack.

A lot of websites use this to instruct a user’s browser to open a new tab/window to a specific link. While this seems fine in practice, there is actually a connection going on between the new external tab and the previous tab. When the link is clicked there is actually data specified which allows the new tab to interact with the previous tab. This allows any website you link to could potentially send your current tab to another site, which could then use phishing techniques to steal private information from the user.

The majority of websites do not deal with this properly, even major sites such as Facebook are currently vulnerable to this attack. While Twitter has disabled the attack on Chrome and Firefox, by using a script it is still vulnerable on Safari. This has been brought up by many others including in a Web Hypertext Application Technology Working Group mailing list. In my opinion sites such as Facebook and Twitter should have fixed this years ago and it should not be overlooked.

A phishing email link example

If you visit this link you’ll see an example of the phishing email attack. The script being used to execute this is very simple;

if( window.opener ) { window.opener.location = 'https://espprojects.co.uk/phishing/worked/'; }

Obviously, this example isn’t sending the user anywhere malicious, thankfully.

Privacy concerns

So that’s one thing, being able to change the location of a users tab without them likely even noticing. But what if they could also see other information from your session? Well, they can. The new tab has ongoing access to the browsing location and other data of the previous tab. Thankfully this seems to fall under the cross-domain restrictions, so even though it can gain access to some ongoing information, there are still some restrictions that will apply.

How to fix it

The easiest and most simple way to stop this happening is to add “noopener” to the “rel” attribute, however, Firefox does not currently support this so you’ll also need to add “noreferrer” to protect Firefox users. You’ll need to make sure you add this to all external links to stop the linked site from being able to access the previous tab. You can see an example of how your links should be below;

href='https://espprojects.co.uk/phishing/' target='_blank' rel='noopener noreferrer'

This would then give you this link, which you can see no longer allows the site to control the previous tab. Hopefully, browsers will have this fixed one day, but considering it’s been reported since early 2013, I’m still shocked browsers haven’t come to an agreement to prevent this from happening. If you want some help fixing this issue on your website, feel free to get in touch.

Thanks to Ben over at Dev.to for the helpful information on this vulnerability.