How to Avoid Giving Away Your Data through Open Tabs
There’s more than one way to lose all your sensitive data in just a single browsing session. The web browser experience can prove to be quite dangerous for the uninitiated, even if all you’re doing is opening a handful of tabs.
As is often the case with technology, there’s just a thin layer of code between you and a harmful data breach. In the case of web browsers, that protective layer is called the same-origin policy. However, a bit of creative hacking can still circumvent it, which is why you must learn all you can to avoid giving away your data through open tabs.
The Same-Origin Policy
In the web context, an origin consists of the scheme, host, and port of a URL. The same-origin policy operates by restricting the methods that one origin can use to talk to the other. HTTP requests with GET and POST methods are allowed, while PUT and DELETE are not.
Such limitations attempt to curb the kinds of messages two different origins are allowed to send one another. The idea is to allow origins to send information to each other, but not to request it.
Simply put, one tab cannot request the information of another tab of a different origin (different protocol or domain name). For example, the same-origin policy prevents unsafe websites from peeking into a tab containing a logged-in bank account.
However, due to the nature of the internet, it’s still possible to send information cross-site. In fact, disabling it would beat the purpose of having a world wide web in the first place, since you would technically disable cross-site hyperlinks. No hyperlinks means no web to traverse.
Unfortunately, those with malicious intent can get around the same-origin policy. The two most common methods used to invade your open tabs are tabnabbing and CSRF.
If you have a tendency to leave a multitude of tabs open (including tabs with sensitive data), you might be at risk of a phishing attack known as tabnabbing. Tabnabbing involves a script hijacking one of the inactive (unfocused) tabs you left open a while ago. It relies on you forgetting all the tabs you opened while also not paying attention to the tabs’ design.
The script hijacks an inactive tab, makes it look like your bank’s website, and asks you to log in. There’s no reason you shouldn’t — financial websites have trained us to relog every 15 minutes for safety reasons. Those very reasons can lead to your downfall.
So, why doesn’t the same-origin policy protect you from tabnabbing? How come one unsafe website can interject a script that refaces an entire tab? The answer is poor browser design. Browsers allow you to ignore the same-origin policy when navigating inactive tabs.
One workaround is to open websites with sensitive data in separate browser windows. It will take a greater toll on your hardware, but your information will be safer. The other is to be more vigilant or keep your browser count to a minimum and no one likes hearing that.
Cross-site request forgery or CSRF relies on cross-site sending of information to attack your sensitive data. Since the same-origin policy doesn’t restrict sending, it can’t protect you against the CSRF and neither can your browser. With CSRF, you’re relying on each individual website you’re visiting for protection. In other words, whether you’re vulnerable to CSRF attacks or not depends on the bank’s web app implementations.
CSRF can access sensitive data on tabs where you logged in, even after you’ve closed them. This attack works because websites don’t know who’s talking to them. They don’t know if a script or a real human being is sending the request. One of the tabs with malicious content can send the request to the bank’s website and get the information if you’re still logged in.
The first solution is an obvious one — don’t just close the tabs when you’re done, log out instead. All of the other solutions involve banks doing proper work on their web apps. Most common web app protections include tokens and checking referrers, but you never know if such steps have been implemented.
Avoid Browsers Altogether
A person who needs to get a lot of work done can’t constantly keep tabs (pun intended) on what all the websites are doing or what they look like. When you’re focused on the task at hand, you can’t really track all the surreptitious tab activities.
By using a desktop app such as FOCOS, you can wave all the risks of web browsers goodbye, yet retain access to all the on-demand software you need to do your work.
If CSRFs and tabnabbings sound like something you’d rather not worry about at all, it might be time to move your activities to the safe and seamless work environment that is our app.