Google is releasing a new security feature to prevent tab-nabbing attacks. It is a new type of online attack where a new browser tab can be hijacked. It is a sophisticated phishing attack where the URL of a tab is replaced with a malicious one while the contents of the webpage remains the same.
“As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially if the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one,” as explained by OWASP.
While there are different types of tab-nabbing attacks, Google is technically looking at blocking Reverse Tabnabbing.
“To mitigate “tab-napping” attacks, in which a new tab/window opened by a victim context may navigate that opener context, the HTML standard changed to specify that anchors that target _blank should behave as if |rel=”noopener”| is set. A page wishing to opt out of this behavior may set |rel=”opener”|,” explained Google.
Google will include this new feature in Chrome 88 that is expected to be released in January 2021.
As per a report by ZDNet, Tabnabbing attacks are becoming popular “Apple, Google, and Mozilla have created the rel=”noopener” attribute” to prevent such attacks. Both Apple and Mozilla had added the rel=”noopener” attribute in 2018 to Safari and Firefox respectively but it is now that Google is finally adding in Chrome.