Need help with windowHijacking?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

dxa4481
123 Stars 27 Forks GNU General Public License v2.0 10 Commits 0 Opened issues

Description

A demo of altering an opened tab after a timer

Services available

!
?

Need anything else?

Contributors list

# 13,176
Python
regex
entropy
HTML
4 commits
# 619,807
HTML
1 commit

Window hijacking

This is a demonstration of a website opening a new tab after a link is clicked, and then after a timer of any length, while the user is on the new page, changing the location of that new page.

Context

It's known that setting a tag with a target attribute as _blank has security risks:

https://mathiasbynens.github.io/rel-noopener/

This is because the newly opened page has the ability to change the window location of the page that opened it, with the following:

window.opener.location = "https://google.com"

However this demonstration shows a website has the ability create a new page in a new tab, and then change the location of the newly created page after an arbitrary period of time has passed. This can be achieved as follows

Open Window!

In the above example, a new window is opened when the button is pressed, and 5 minutes later, the new window will change locations. Even if the new tab is changed to another website, or refreshed, the original website can still change the location

Impact

Users may be tricked into clicking links that are innocent, but change to be malicious after an arbitrary period of time. For example, a link to facebook.com may take a user to facebook, however after an arbitrary period of time, the facebook.com tab may change to faceobok.com and present a user with a fraudulent cloned login page to steal credentials.

Demo 1

In this example, a legitimate login page is linked, and the timer is set to 5 seconds. When the timer expires, the legitimate login page is changed to an illegitimate login page which has a keylogger installed on it.

https://security.love/windowHijacking

Demo 2

In this secondary example, the attack is combined with Pastejacking. A legitimate serverfault.com question is linked. After being opened, a 5 second timer will change the location of the legitimate serverfault website to a malicious clone of the original serverfault page, with pastejacking code installed. This causes any user who tries to copy the answer to get "cat /etc/passwd\n" injected into their clipboard.

https://security.love/windowHijacking/index2.html

Other considerations

When performing this attack, the opened page also has the ability to also change the location of the parent page. This can be accomplished by the same window.opener method shown above for _blank links. This can be used to stop JavaScript timers on parent pages.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.