Introduction to target = “_ blank” attribute for the phishing attack
Now, many website administrators use to add the target = “_ blank” attribute to the link address of the page, which is definitely a very insecure behavior. Not only that, the target = “_ blank” attribute will also expose the vast majority of Internet users to the risk of phishing attacks.
As early as 2014, there have been a lot of security research experts said, target = “_ blank” attribute is a very insecure property. And some of the safety report on the property in order to attract people’s attention, but also specifically set the title is very eye-catching.
Vulnerability implementation mechanism
When the user clicks on a site with a target = “_ blank” attribute hyperlink, the browser will create a separate tab to show the link to the content. Note, however, that at this point in time, the browser will allow the newly created tab to communicate briefly with the previous page via a browser API called “window.opener”.
At this point, the attacker can be malicious code embedded in the new open Web site, and then detect the user from which a site to jump over, and finally use the window.opener interface to force the original page to open a new URL address.
For example, if a user clicks on a Facebook site with a link with the target = “_ blank” attribute, the attacker can use a forged Facebook page to replace the original Facebook page, and then ask the user to re-enter the user name and password. As a result, the attacker has successfully obtained the target user’s certificate data.
Sphere of influence
Terrible, Instagram, Facebook, and Twitter and other large social networking sites will be affected by this attack.
In the three major social networking sites, only Instagram completely fix the problem. For Twitter, this is only possible when users use the Safari browser to access Twitter sites. But Google has long been open that they do not care about this issue …
How to fix this problem?
This means that the burden of fixing the problem will fall on the webmaster’s body. In fact, the easiest way to fix the problem is to add the rel = “noopener” attribute to all links to the site. For Firefox, because it does not fully support the property, the developer should use the rel = “noopenernoreferrer” attribute instead.
Keep in mind that when you use the window.open() interface every time you open a new page window, your security is likely to be affected by this API, so do not forget to reset the “opener” attribute.
var newWnd = window.open();
newWnd.opener = null;