Target="_blank" - the most underestimated vulnerability ever


42 bookmarks. First posted by jokela may 2016.


noopener target blank
html  security  web 
yesterday by svp
You can change the old tab location in the background and replace with e.g. a phishing site. Not good.
hacking  javascript  web 
4 days ago by traggett
People using target='_blank' links usually have no idea about this curious fact:

The page we're linking to gains partial access to the linking page via the window.opener object.

The newly opened tab can, say, change the window.opener.location to some phishing page. Or execute some JavaScript on the opener-page on your behalf... Users trust the page that is already opened, they won't get suspicious.

Example attack: create a fake "viral" page with cute cat pictures, jokes or whatever, get it shared on Facebook (which is known for opening links via _blank) and every time someone clicks the link - execute

window.opener.location = 'https://fakewebsite/facebook.com/PHISHING-PAGE.html';
…redirecting to a page that asks the user to re-enter her Facebook password.
security  web-development  gotcha  best  blank 
4 days ago by hellsten
Target="_blank" - the most underestimated vulnerability ever - Wednesday, May 4, 2016 - Founder's blog
s 
4 days ago by igorette
If you link to another site with `target="_blank"`, also use `rel="noopener"`. See AND
from twitter_favs
10 weeks ago by ricny046
how to make opening pages in a new tab safely
javascript  security 
july 2017 by yann
これって _blank 限定ではないよね。閉じたりリロードするのが普通の使い方だけど、URLが既知なので中身を精巧なクローンに差し替えることもできるわけか。
march 2017 by knu
Target="_blank" - the most underestimated vulnerability ever
february 2017 by Lawrence
RT : Another HTML thing I learned today: using target=_blank is a security vulnerability
from twitter_favs
january 2017 by wasser
I don't get it.
november 2016 by WaltMG
target="_blank" で開いた先のページから window.opener.location でもとページを動かせるので rel="noopener noreferrer" 付けようという話。
may 2016 by 1000ch
More reasons to *never* use target=“_blank” via
from twitter
may 2016 by matthewbeta
People using target='_blank' links usually have no idea about this curious fact:
Web_Security  Web_Development 
may 2016 by GameGamer43
using target='_blank' links usually have no idea about this curious fact:
security  javascript  web  html 
may 2016 by philipe
The page we're linking to gains partial access to the linking page via the window.opener object. The newly opened tab can, say, change the window.opener.location to some phishing page. Or execute some JavaScript on the opener-page on your behalf...
may 2016 by muhh
Target="_blank" - the most underestimated vulnerability ever
InfoSec  from twitter_favs
may 2016 by reinhard_codes