词条 | Tabnabbing |
释义 |
The attack causes the browser to navigate to the impersonated page after the page has been left unattended for some time. A user who returns after a while and sees the login page may be induced to believe the page is legitimate and enter their login, password and other details that will be used for improper purposes. The attack can be made more likely to succeed if the attacker is able to check for well known websites the user has loaded in the past or in other tabs, and loads a simulation of the same sites. This attack can be done even if JavaScript is disabled, using the "meta refresh" meta element, an HTML attribute used for page redirection that causes a reload of a specified new page after a given time interval.[4] The NoScript extension for Mozilla Firefox defends both from the JavaScript-based and from the scriptless attack, based on meta refresh, by preventing inactive tabs from changing the location of the page.[5] Because there are legitimate purposes for inactive tab redirects, it cannot be disabled in all browsers by default without breaking some applications. The attack is also not very common, giving browser vendors little incentive to implement a breaking change. Example"It can detect that you're logged into Citibank right now and Citibank has been training you to log into your account every 15 minutes because it logs you out for better security. It's like being hit by the wrong end of the sword.", said Aza Raskin.[6] See also
References1. ^{{cite web|last=Claburn |first=Thomas |url=http://www.informationweek.com/news/storage/security/showArticle.jhtml?articleID=225200157&subSection=News |title=Tabnapping attack makes phishing easy |publisher=Information Week |date=2010-05-25 |accessdate=2012-02-19}} 2. ^{{cite web|url=http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/ |title=Aza Raskin's original tabnabbing disclosure |publisher=Azarask.in |date=2010-05-25 |accessdate=2012-02-19}} 3. ^{{cite web|author=Christina Warren 164 |url=http://mashable.com/2010/05/25/tabnabbing-phishing/ |title=New Type of Phishing Attack Goes After Your Browser Tabs |publisher=Mashable.com |date=2010-05-25 |accessdate=2012-02-19}} 4. ^{{cite web|last=Adler |first=Eitan |url=http://blog.eitanadler.com/2010/05/tabnabbing-without-javascript.html |title=Eitan Adler's thoughts: Tabnabbing Without Javascript |publisher=Blog.eitanadler.com |date=2010-05-30 |accessdate=2012-02-19}} 5. ^{{cite web|url=http://noscript.net/changelog#1.9.9.81 |title=NoScript 1.9.9.81 changelog announcing specific tabnapping protection |publisher=Noscript.net |date= |accessdate=2012-02-19}} 6. ^{{cite web|last=Magid |first=Larry |url=http://news.cnet.com/8301-19518_3-20007518-238.html |title=Tabnabbing: Like phishing within browser |publisher=News.cnet.com |date=2010-06-11 |accessdate=2012-02-19}} External links
2 : Social engineering (computer security)|Cybercrime |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。