Tabnabbing

Tabnabbing is one of the web developer Aza Raskin, the son of the user-interface designer Jef Raskin, discovered phishing method that using JavaScript, the entire page content as well as the favicon and title of a web page be changed when exiting a tab to the to deceive users. The user should think that he had requested the page, which is why he does not check the URL. Then he gives in faith, he was on the real site, its private data.

Method

The user opens a normal website on which such a JavaScript runs in the background. Once the current tab in the browser loses focus for a certain time, the favicon of the site, the title and the entire contents of the page are changed. By not entering reloading the user is fooled and thinks that he himself had driven the site. It may contribute to the new content of the page, which in this case contains a phishing form, its sensitive data. Its data is stored and he is then forwarded to the actual login page.

Extensibility through History Stealing

When History Stealing the attacker makes way exploit, such as the web browser stores whether a user has ever followed a link. Already clicked links are color- illustrated differently than links that you are not followed. The color is caused by a change in the style sheet (CSS ) of the HTML document that stores the Web browser as attributes in the history. When history stealing method applied in the browser history is read by a JavaScript. These data can now be used to replace the most visited page using the Tabnabbing by a phishing form. This can increase the success rate of an attack because the victim ( user ) is not surprised by an unknown login window.

This vulnerability has been closed in the spring of 2011 by most browser vendors.