Go fishing with target =”_blank”

Tram Ho

Introduce

Go fishing or some Tay or call Phishing which means a scam to steal a user’s account, password, or credit card. This article will show you how to fish with your browser’s target = “_ blank” attribute .

Method

If you use the target = “_ blank” attribute on a link without the rel = “noopener noreferrer attribute” to open a site that is not under your control. The newly opened page will access your entire window object via window.opener

The code below will illustrate that

What is serious? Try to imagine https://khoanguyen.me/phishing is a bait page of anglers with login interface like your site, users will lose their password easily.

For example

  1. Go to Khoa Nguyen dot me fanpage
  2. Click Like to help me (like cheap sentences)
  3. Click on the truyen.me link . A new browser card / window will open
  4. Note that the original card (Facebook.com) has been moved to this page

screen-shot-2016-10-06-at-2-11-07-pm

Overcome

The fix is ​​to insert the rel = “noopener noreferrer attribute” into all links with the target = “_ blank” attribute . Or at least the user-inserted links.

And above all, if you find out which site has this vulnerability, immediately report it to the administrator of the site to fix it.

ITZone via khoanguyen

Share the news now

Source : Khoa Nguyen