and tabnabbing should work against every site in ~every browser. basically, if you don't constantly monitor the address bar, you lose
-
-
that is the current state of web security - and yes, it sucks
1 reply 0 retweets 0 likes -
+1. Looking at the <a href> is not enough, and fixing OR has likely negligible impact on phishing. https://sites.google.com/site/bughunteruniversity/nonvuln/attacks-facilitating-phishing-or-social-engineering …
1 reply 0 retweets 0 likes -
Replying to @kkotowicz @mikko
well, TBF, IMO, this is slightly worse than classic OR, and the "looking at <a href>" part doesn't apply here
1 reply 0 retweets 0 likes -
it is pretty nasty that, following a legitimate login page, a fake "wrong password" error page can be shown
1 reply 0 retweets 0 likes -
the initial click is from external site, so tabnabbing could do the same (modulo timing maybe)
1 reply 0 retweets 0 likes -
-
I know, hence +1. I don't get why it's nastier though
1 reply 0 retweets 0 likes -
Replying to @kkotowicz @mikko
you said "Looking at the <a href> is not enough" - and with classic OR, yeah, the user has to look at the address bar once
2 replies 0 retweets 0 likes -
but here (and also with tabnabbing), the user has to monitor the address bar more or less continuously
2 replies 0 retweets 1 like
also, tabnabbing needs two tabs, and thanks to popup blockers that requires a click -> this saves one click for spearphish
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.