Tabnabbing Attack Explained

How It Works, Why It’s No Longer Effective, and How to (Still) Prevent It.

  April 4, 2025  |  2 minutes  |  358 words  |  Talha Awan

Tabnabbing is an outdated technique that was used by attackers to distract the trapped users and get them to share sensitive information. Most of the modern browsers now have protection in place that has made this attack almost non-existent.

For more potential attacks and their solutions, check out my post on the web security checklist.

How Tabnabbing Works

Here’s a step-by-step example of how tabnabbing works:

  1. User is on a trusted website (e.g., https://www.someblog.com). The website has shared a link, believing it to be harmless.

  2. The user clicks on the link and it opens up in a new tab (https://www.malicious.com).

  3. While the user is distracted and spending time on the malicious site, the malicious site redirects the original tab (Tab 1) using window.opener.location = "https://www.facebook-fake.com".

  4. When the user returns to the original tab, it has been deceivingly replaced with a phishing site (https://www.facebook-fake.com) that is an exact replica of the https://www.facebook.com login page.

  5. The naive user believing that they have been logged out of Facebook because of inactivity and forgetting that they were actually at https://www.someblog.com (and of course ignoring the now address bar containing fake Facebook domain), fills out the credentials and submits, unknowingly handing them over to the attacker.

Tabnabbing Example
Fig. Tabnabbing Example

Why Tabnabbing Isn’t Effective Anymore

Because modern browsers (Chrome, Firefox, Safari, Brave, etc.) have made cross-origin tabnabbing ineffective. Here’s how:

  • window.opener is nullified by default unless rel="opener" is explicitly set on the link.
  • A new tab cannot navigate its opener unless both pages share the same domain

That is, browsers by default imply rel="noopener" to all target="_blank" links. Even if set to rel="opener", the malicious site cannot redirect the parent tab to a cross-domain link.

How to Prevent Tabnabbing

Even though modern browsers are secure, you cannot rely solely on them, mainly because you never know how outdated or insecure the browser of the user is. So, as a best practice, you should always use rel="noopener noreferrer" with target="_blank":

<a href="https://example.com" target="_blank" rel="noopener noreferrer">Visit Example</a>

Where noopener prevents access to window.openerand noreferrer ensures no referrer data is leaked to the new tab, making it impossible for anyone to carry out tabnabbing and phishing attacks.


Buy me a coffee


web-security 

See also

When you purchase through links on techighness.com, I may earn an affiliate commission.
no sql data modeling, 15 real-world examples
Kindle
no sql data modeling and diagram creation
Kindle
We use cookies to enhance your experience. By continuing to visit this site you agree to our use of cookies. More info cookie script