Friday, September 2, 2016

Facebook And Twitter Accounts Can Hack Through target=”_blank” Vulnerability

Facebook And Twitter Accounts Can Hack Through target="_blank" Vulnerability

Facebook And Twitter Accounts Can Hack Through target=”_blank” Vulnerability.


The target=”_blank” is using for target attribute specifies where to open the link in new tab. Hackers are using this trick for Phishing Attack. When a user click on the text link, then the malicious link will open in new Tab. This cyber attack could happen on browser based not Web Servers.

How does it work?

According to security researcher Ben Halpern,  Facebook and Twitter social networks accounts are vulnerable.

In order to restrict the behavior window.opener access, the original page needs to add a rel=”noopener” attribute to any link that has target=”_blank”. However, Firefox does not support that tag, so you should actually use rel=”noopener noreferrer” for full coverage.

Some amount of prevention can be achieved through scripting, though, as observed with Twitter, this seems to fail on Safari. This issue is not well-known, and is totally underestimated. This has been brought up in a Web Hypertext Application Technology Working Group mailing list, said Halperm.



How to Fix?

Developers should add attribute rel=”noopener” into the website code. Because some browsers does not fully support that attribute, developers should use rel=”noopener noreferrer” instead.

0 comments: