Website Switcheroo: Links opening in tabs are dangerous

This is an article about internet security. It should be of interest to anyone who uses a web-browser.

Undoubtedly you know that any link on the web can be opened in a new browser tab. That is done by “right-clicking” on it and selecting “Open Link in New Tab” option.

However, many links that you find on websites automatically open in new browser tabs. For example, all links inside GMail emails behave this way. A website or a web app would publish links in this way so that a visitor stays longer on the host page.

In the following video I have recorded a phishing example that I have concocted. The example shows that you may be viewing one website, but when you are not looking, it may switch to another website that looks similar to the original.

In this example, I switched Google search results to Bing’s. In a real phishing scenario the pages won’t merely look similar, but would appear exactly the same. The the only difference would be the address in the address bar. Since you already had that tab opened, you will probably not re-check the address when returning to it.

The video shows three identical links, the first of which legitimately opens Google search results for “cat videos” in a new tab. The second link looks exactly the same: it has the same attributes, and when you mouse-over it, you see the same thing in the status bar of the browser. The status bar shows in both cases that the target URL is https://www.google.com/search?q=cat+videos. However, when you click that link nothing happens. The point here is that it is possible to prevent normal browser behavior.

The third link again looks exactly the same. However, instead of merely canceling the default behaviour, it redefines the original behaviour in a way that appears the same to the user: as expected, a new tab opens and shows search results. However, in this case, the original page is able to retain a reference to the new tab, a reference it wouldn’t have otherwise. By using this reference it can cause the new tab to navigate to another page at some later time.

There had been a lot of talk about a similar phishing attack, happening in the opposite direction, under the rubric of “window.opener tab nabbing”. In those cases, the starting website is legitimate but the website that got opened is a rogue one — it can switch the original website to a phishing one behind the scenes. To counter against that attack, an attribute rel=“noopener noreferrer” can be added to a link that is destined to be opened in a new tab.

But in the forward direction, as I am illustrating in this article, there is no programmatic defence. If you don’t trust the originating website, but would like to click a link on it that purports to open in a new tab, then you should do the following: (1) “right-click” on the link, (2) select “Copy Link Address”, (3) open a new tab, and (4) paste it in into the address bar of the new tab.

Also, if you thought that the link is for interval navigation and clicked it, but instead it opened in a new tab, then close this tab and reopen it manually, as I have described in the preceding paragraph.

If you are a web developer, you may reproduce this “phishing” trick on your own, starting with this code:

<a href="https://www.google.com/search?q=cat+videos" id="link">
  cat videos
</a>
<script>
  document.getElementById("link")
          .addEventListener("click", handle_click);
  var window_handle;
  function switch_website(){
    window_handle.location = 
      "https://www.bing.com/search?q=cat+videos";
  }
  function handle_click(event){
    event.preventDefault();
    event.stopPropagation();
    window_handle = window.open(this.href, "_blank");
    setTimeout(switch_website, 5000);
  }
</script>

You may think that most websites are safe, particularly websites like Facebook and Gmail. That’s because all the links submitted by 3rd parties (e.g. its users) are published properly. However, even legitimate websites like GMail and Facebook are subject to government court order to spy on some of you. They would have to comply with tricking you into exposing your private data through phishing.

Less prominent websites may have “Cross Site Scripting” (XSS) vulnerabilities that could generate links like these. The code above could be fully inserted into the onclick HTML attribute of a link.

In conclusion, don’t trust links that open in new tabs even if the site loaded in the new tab appears legitimate. The site may change to an illegitimate one when you are not looking.