Major Internet services like Facebook, Twitter and Instagram expose their users to phishing attacks using the ‘ target=”_blank” ‘ HTML attribute in an insecure way.
Phishing Attacks Made Simple by Major Web Services
Security experts have identified that major web services such as Facebook, Instagram, and Twitter expose their users to phishing attacks by using unsafe code. The HTML target=”_blank” HTML attribute repeatedly been used by criminals in launching spam phishing campaigns. By using links that employ the code web developers give partial access to the linking page via the window.opener object.
The newly opened page can change the location to a redirection page or a phishing site. JavaScript code can also be opened. Most web browsers assume that the users trust the link, so they allow the unsafe behavior. An example attack was demonstrated on Facebook where a malicious user-crafted a fake viral page with meme images that have embedded links. Upon clicking on the target link, the user is redirected to a phishing site that requests the users account credentials for their Facebook accounts.
The developers suggest an easy fix; all programmers simply need to add rel=”noreferrer” to mitigate this vulnerability.
Security expert Ben Halpern has discovered major web services such as Facebook, Twitter and Instagram are affected by the issue. Popular websites are also plagued by the problem.
