Protect your browser from "tabnabbing"
Have you heard about "Tabnabbing"? It is the term for a new kind of attack, which can be summarized as grabbing a Web browser tab when you aren't looking and making it appear as another site.
Aza Raskin, lead designer for Firefox, created a page that illustrates this. If you click on that link and then ignore it for awhile (create and switch to another tab), Aza's page will turn into a lookalike for Gmail.
He claims this will work in "all major browsers," and I confirmed it in Safari, Google Chrome, and Firefox on the Mac. It even worked -- albeit poorly and less regularly -- in OmniWeb and Opera. However, before users of either of those browsers claim some sort of victory, please realize that my testing was not scientific or extensive, and Aza's "proof of concept" may not be as thorough as some other sites.
Aza's example isn't too difficult to spot; if you look at the Address Bar you will see this URL still points to his domain, but he could easily redirect you to a non-Latin domain name that looks like a different website which would be harder to spot.
What should you do to protect yourself? Well, perhaps unsurprisingly, Aza thinks you should use Firefox, which has an Account Manager feature that is supposed to help protect you from this kind of attack.
But what about the next phishing attack? Or what if you prefer a different browser? Read on for a better solution that will allow you to use just about any browser you choose...
I was protected from "tabnabbing" before anyone had ever heard of tabnabbing.
How? Simple, I use 1Password. If you don't know 1Password, now is a great time to take a closer look. It can not only create extremely secure passwords, but it will also remember them for you and automatically fill them in with a click or a keystroke. But here's the key: 1Password will only fill in the passwords on the same site where you save a password.
1Password won't be fooled the way the human eye can be. If you save your Gmail password in 1Password, and another site manages you trick you into thinking that it is Gmail, it won't fool 1Password. And because you will quickly become accustomed to 1Password filling in your passwords for you, when it doesn't work as expected, you'll take a closer look. Maybe you'll close that tab and open a new one, or maybe you'll use 1Password's awesome "Fill and Submit" feature which will pull up the proper site and automatically log you in. What you almost certainly will not do is blindly type your username and password in, because 1Password makes it so easy to do it securely.
The initial cost for 1Password is $40. If you've participated in some of the Mac software bundles over the past few years, you might already own a copy. That's how I first came to try it out. There is a 30-day evaluation period and a 30-day money back guarantee. This is a company that has no qualms about you trying out their product and is sure that you'll want to stick with it.
There's even an iPhone and iPad app available. I own the Pro version and it was the easiest money I've spent at the App Store. Heck, there's even a beta version available for Windows for those of you who live in a dual operating system world. (You can access your 1Password data on a Linux system, but that's outside the scope of this article.) 1Password even lets you sync your password data via Dropbox.
1Password will help secure your passwords against this type of attack and many others simply by being smart enough to not be as easily fooled as we might be. If you use its strong password generator you can also get away from that bad habit of reusing the same password at multiple sites. If you have logins which require you to change them periodically, 1Password can keep those secure as well, so you aren't tempted to just add a number to the same password you used last time.
1Password Pro for iPhone and iPad is on sale for $6.99 (normally $14.99), and the iPad-only version and iPhone 'non-pro' version are both currently $3.99 each instead of $6.99. Those prices are good for this week only. I highly recommend the Pro version. Not only are you getting a universal iPhone/iPad app, but there are more features in the Pro version and still more planned. The "Look up in 1Password" bookmarklet is extremely handy, and the ability to wirelessly sync ("coming soon") will be a great addition.
Passwords are incredibly important. We all have too many of them. 1Password makes dealing with them a lot easier and safer, and protects you from some threats before you ever even heard of them.
The 1Password developers even have a video which explains how it works, in case this explanation hasn't been enough. They are also great about answering support emails and have great support forums too. (Since someone is bound to ask: no, I don't have any financial stake in the company, I've bought all of this software with my own money, both for the Mac and iPhone. I'm just a very happy customer.)
Subscribe to Newsletter
Software Updatesmore updates
- Ember for Mac gains 'hugely-requested' screen recording feature
- Spotify update adds equalizer, refreshed Artist page and more
- Fantastical 2.1 for iOS adds new snooze, search and notification features
- ExpanDrive 4, more services and faster sync
- Apple adds iTunes Extras to Apple TV
- Spotify updates with new iPhone controls in time for summer BBQs