Target='_blank'
The target="_blank"
attribute in HTML, used from Facebook to Google, is
susceptible to a massive phishing vulnerability.
The Vulnerability
When using this attribute, developers or hackers can gain access to the new
page in the window.opener
object. This allows malicious users to execute
Javascript code, change the window.opener.location
, etc. This also works
with window.open()
.
Example
Say I have a link on my Facebook page pointing back to my website.
All I’d need to do at this point is execute a bit of Javascript code and phish away.
This essentially gives me control over aspects of the referring page, in this case, the referring page was none other than Facebook.
The Fix
rel='noopener'
for Chrome, Safari, Opera, IE.
rel='noopener noreferrer'
for Firefox.
Other Issues
This actually can lead to more than just phishing attacks, not to say that changing the url of your banking site without you knowing in order to gain access to your login credentials isn’t bad!
Since I now have access to the window.opener
object, I have partial access
to what was on the referring page - allowing me to gather more information
about the user who clicked through to the link, and perhaps steal some valuable
information from you if I’m good enough!
So far, this issue has been spotted on Facebook, Twitter, Instagram, and Google. All of which are heavy targets for phishing and privacy concerns.