Select Page

We will talk about Reverse Tabnabbing, including what it is, how it works, and ways to prevent it. After all, we know the end user is the weakest link in information security.

And we’re all responsible for preventing these malicious incidents.



What is Reverse Tabnabbing & How Does It Work?

Reverse tabnabbing, or simply tabnabbing, is a phishing attack in which an attacker tricks a victim into entering their credentials on a fake website controlled by the attacker. 

This technique allows, through links, redirection to a site from the main site.

Let’s suppose we have Site A, which is a blog or a social network, and someone posts a link with a target tag = “_blank” (often this tag is automatically placed on the links in the links). comments on this type of site, since in most cases they are links to external sites), and with an href to Site B.

From site B, site A could be redirected to a malicious site C that has, for example, a login box identical to that of site A.

Reverse tabnabbing attacks can have serious consequences, depending on the credentials they manage to compromise. Fortunately, protecting yourself against these attacks is quite simple.


Real Reverse Tabnabbing Examples

This is how a reverse tabnabbing attack might work:

  • The victim has a website open in a tab, in their browser (let’s say Facebook) and they log in to the site and see that someone has posted something on their wall: an offer for something at a discount or something else that the victim might be interested in.

  • The victim inadvertently clicks the link and is directed to the website with the offer in a new tab. That website is a malicious site controlled by the attacker.

  • While the victim is looking at the fake offer on the malicious site, the malicious site forces a redirect from the victim’s original Facebook tab to a fake cloned website, controlled by the attacker, that looks exactly like the login page From Facebook.

  • The fake Facebook page prompts the victim to re-enter her credentials. Although the victim knows that she is already logged in, it is very likely that she simply re-enters her email and password, thinking that a minor technical problem must have occurred. 

  • If the victim enters the credentials on the fake website, they have just given the credentials to the attacker and compromised her account.


According to Danish government security analysts, in April 2017, APT28 (a Russian hacking group) mounted an attack on the French presidential candidate Emmanuel Macron. 

While the attack described here differs slightly from our previous playbook example, there is an additional redirect from the malicious website (which is open when the victim clicks the link in the webmail) to the legitimate conference website. Before the redirection to the legitimate site, the malicious site will do its mojo and mess with the open webmail tab.

A variant of tabnabbing has been used. In this attack scenario, the target receives an email that purports to come from a website they might be interested in, perhaps a conference they’re likely to visit or a news site they’ve subscribed to. 

The email has a link to a very legitimate-looking URL. When the target reads your email and clicks the link, it will open in a new tab. This new tab will display the legitimate website of a conference or news provider after being redirected from a site controlled by the attackers.


How to Prevent a Reverse Tabnabbing Attack 

On the server side, the way to protect against reverse tabnabbing attacks is quite simple. 

Preventing reverse tabnabbing attacks is simple and we’ll show you why using HTML or JavaScript to open new windows. We will show you both ways.


  • HTML – You need to make sure to set the HTML rel attribute with the noreferrer and nooperner parameters every time the web/application server creates links.

    “Noopener” ensures that the linked page does not have access to window.opener from the source page. While noreferrer makes sure that the request’s referrer header is not sent along with the request. In this way, the destination site does not see the origin URL that the user came from.

  • JavaScript – We can achieve the same as above by setting the opener property to null. If you are going to display user-generated content, you should also make sure that the server sanitizes user input and applies “nooperner, noreferrer” to each generated link.


Now, you may think there’s not much you can do as a user when there is. Here are just a few general online vigilance recommendations:


  • Use a Firewall. All major operating systems have a built-in inbound firewall, and all commercial routers on the market have a built-in NAT firewall. Make sure these are enabled as they can protect you in case you click on a malicious link.


  • Never click on shady ads or popups. 


  • If your browser displays a warning about a website you’re trying to access, you should pay attention and get the information you need elsewhere. In a reverse tabnabbing attack, your browser will warn you if the attacker’s site uses a self-signed or invalid HTTPS certificate. 


  • Always check the address bar for HTTPS:// and a legitimate/trusted domain name before entering a password on a web screen.


  • Use mobile apps instead of mobile web interfaces. Sites like Gmail, eBay, Amazon, Office365, Paypal, and mobile banking sites are the main targets of this type of Tabnabbing attack.