Anyone who’s used the internet knows that when you click a link on a web page, one of two things may happen. The link may load right there in your current tab or window, or it may open in a new one.
Websites that don’t want you to leave, like Facebook and Twitter, tend to opt for the latter. And since people generally don’t want to lose their place on their social media feeds, this functionality has come to be expected.
But that minor convenience comes with a glaring security hole. When a user clicks a link and it automatically opens in a new tab or window, that newly-opened page has some access to the source page that the user clicked from. That access is limited, but it’s enough to force the original page to load an entirely different website.
So imagine you click a link on Facebook and it opens in a new page. You look at that page for a few minutes, then close it and go back to your Facebook tab. Oddly, Facebook says you’ve logged out, and presents you with a login page. It seems strange, but you’ve had Facebook open in this tab all day, and don’t have much reason to be suspicious. You enter your login credentials, and you’ve just been phished. The page you’ve logged onto isn’t Facebook, but rogue website.
It’s a slightly more sophisticated version of the email phishing scams everyone knows to avoid. “Click this link to claim your cash prize,” etc.
The vulnerability exists because Facebook and Twitter insert thetarget=”_blank” attribute into their hyperlink code, which is the common method for making links open in new pages. The full hyperlink HTML looks like this:
<a href=”//qz.com” target=”_blank”>Quartz</a>
Developer Ben Halpern pointed out on his website earlier this month that the issue could be fixed by inserting the rel=”noopener” attribute into a …