Skip to content

Potential tab nabbing attack

I am security researcher and I have found this vulnerability in your website: https://hive.io/ Vulnerability report: Tab nabbing Issue lies Here : Here i can see you are using target=_blank and no more rel tag. Here , target=_blank means it will open in another new tab but due to tab nabbing it can change parent tab as well .So as per security principal don't trust much on 3rd party and be at your safe side. FIX & MITIGATION : To mitigate this issue we need to use rel="nofollow noopener noreferrer" as follows:
Proof of concept:
Note: As I have noticed that your website contains many other social external links also without the tags, which is very dangerous. You are advised to use the recommended tags in order to secure your website from this vulnerable attack. Tab Nabbing Exploit: Whenever you open a new tab by clicking a link whose HTML code looks like this, JavaScript will keep a reference to the window object of the site that opened the tab: Blog You are not allowed to read the location of the site that opened the tab, whether the rel = "noreferrer" attribute is set or not. However, what you can do is change the location of the opener by using the following JavaScript code: window.opener.location = 'https://attacker.com/phishing'; The tabnabbing attack would happen as follows: The victim clicks a link on https://example.com/ containing target = "_blank", which leads to https://attacker.com https://attacker.com immediately redirects the tab where https://example.com/ is located to https://attacker.com/phishing The victim looks at the attacker.com page and then goes back to the previous tab containing a phishing page that looks exactly like https://example.com/, but prompts the victim to enter their login details again This makes a phishing attack much more effective, because the user is not expecting such behaviour and thinks they are still on the original page ('tabnabbing'). The way to thwart this attack is to use rel = "noopener", though rel = "noreferrer" has the same effect. It's interesting how such a small parsing mistake can have such a huge impact on the security of an application. In this report I have only talked about twitter but you have to use rel="nofollow noopener noreferrer" in all the external links present in your website.
Refrences: 1: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/ 2: https://developers.google.com/web/tools/lighthouse/audits/noopener 3: https://mathiasbynens.github.io/rel-noopener/ I Hope you will fix this issue as soon as possible. Look forward to hear from you. Thank You Warm Regards, Taha Ismail"