Facebook username and password phishing using Target="_blank" vulnerability
This vulnerability has been blogged about by several other excellent bloggers, but I would like you to see how potentially dangerous this vulnerability is with a demo video. A lot of pages has this problem and I guess this vulnerability will be around for quite some time.
I do not serve a fake Facebook site, I just made a video of how this hack could be done and closed it down. I also made my filenames with dummy names like fashi.html
, meaning absolute nothing.
I got inspired by a blog post written by Alex Yumashev (@jitbit) where he writes about Target=”_blank” — the most underestimated vulnerability ever.
The case is that if you, in your page, use the target="_blank"
attribute to open a link in a new browser window or tab, the new tab gains partial access to the page you opened the link from. The window.location object and the newly opened tab can redirect the page you opened the link from to a phishing site. See the movie later in this post to understand the concept easier.
If you use google directive intext: and search for target="_blank"
google will give you a number of 75,800,000 pages that contain target="_blank"
. Of course some of these sites just discuss the target="_blank"
functionality, but this search gives a good picture of the potential range of this security issue.
I decided to make a Facebook phishing proof of concept using the target=”_blank”
vulnerability. After this blogpost is published I will close the fake Facebook page to ensure that no one will leave their usernames and passwords on my server. I'm a big fan of Facebook and do not want to make them look bad, however this vulnerability makes it pretty easy to make phishing sites. I did some on other sites as well and it seems that this problem is a big one for a lot of big websites. As a user of these great websites, I would like them to solve this problem as quick as possible. I have been in contact with Facebook regarding this issue and they have accepted me publishing this post and video.
So what happens here? The url posted by "the hacker" to my Facebook site opens a new tab which loads the page of the hacker. The page seems quite safe, but wait, what happened to my Facebook tab? It was logged out it seems. When I entered my fake username and password once more I got back into my Facebook page again like nothing really happened. This happens because the hacker's fake Facebook site redirects with a 302 back to the authentic Facebook site. And guess what, you have never really logged out, so when you get redirected you are obviously still logged in. But what you did not know because it was kind of invisible, the username and password were harvested by the hacker and logged in a file on his server.
Why is this a big problem? Well, what if this page contains something that's funny and shocking and people share this link on Facebook? The hacker will get a lots of usernames and passwords!
As discussed in Alex Yumashev's blogpost at the start of this blogpost, there is something Facebook and many others can do to prevent this; add rel="noopener" to all the out links. This will work for several browser, but not Firefox (for now). To support Firefox as well the website must also provide the noreferrer directive thus rel="noopener noreferrer".
Remember to always check the url of a site you post your username and password in. In the case of the demo in the video you can see that the log in page is NOT a Facebook page. Also make sure the login page uses https before you post your username and password.
Stay safe!