The security risks associated with the target= "_blank" attribute will leave you BLANK 🤯

According to firstsiteguide.com there are over 5.25 billion active internet users. When we use the internet to browse websites, we frequently come across hyperlinks. These can be found in text, images, pop-up windows, or any combination of these. An HTML element that links to a different section of the same page or to a different document entirely is known as a hyperlink. Many websites contain links that open in a new tab. For instance, let's imagine you're on an e-commerce website and you click on a product's details because you like it. Now a new tab has been opened with this information page. 

As you can see this is ebay.com, I liked this camera drone. I wanted to know more about it so I clicked on it's details.


As I clicked on it's detail, a new tab containing it details get's opened.




 There are several attributes for various HTML elements, and one of the attribute for the Anchor tag element is target="_blank." On a webpage, anchor tags are in charge of adding hyperlinks, and the attribute target="_blank" is in charge of making those links open in new tabs. However, you might wonder why websites enable us to open links in new tabs rather than utilising the same tab since doing so would inevitably put more strain on the browser. Yes, you are correct, it does put more strain on the browser, but there isn't really any other option. There are websites that enable users to post links, it's same as you posting any link in the comment section of a post. Opening links in a new tab is often done when the links are going to a third party.

How it can be a security risk?

As explained earlier about the attribute target="_blank" which allows us to open the links in new tab, when one window opens another, the child window has a property called "opener" that acts as a reference to the parent window. A child window can reach the primary window by using this attribute. The placement and other procedures of an opener are the same as those of other windows.replace(), a window-navigation technique. It replaces the current location with a new URL, as the name implies.

Consider the following example:

Let's assume we are on a well trusted and renowned website "Website A", the URL of this webiste is: www.trusted.com
Now say I post a comment on this website's comment section, the comment is: "Hey checkout this link to get free discount, the link is : www.malicious.com"




Whenever someone clicks on this link, it will open in a new tab. I actually added some malicious piece of code on this website. The code is:




Now using this malicious code I changed the URL of the parent window/ trusted site to a URL which is malicious and created by me (www.stealPassword.com). Now since I have redirected you to a website which looks somewhat similar as the "Website A", but actually it is just a clone of "Website A" made by me to steal your credentials. I can give you a pop-up saying you got logged out and please login again. You will think you are on the trusted website(Website A), but actually you will end up giving your credentials to me, which I can use to get access to your account.😈 This called (reverse)tabnabbing. It is a phishing method


Now the question arises how to fix this?

This issue's remedy is found inside the issue itself. We should consider measures to prevent new tabs from having access to parent tabs since we are aware that this is a concern because a malicious site that opens in a new tab may still access its parent site. This may be accomplished by modifying the anchor tag to include the rel="noreferrer noopener" property. The new tab's "opener" property is fully destroyed by this attribute. So make sure to use rel="noreferrer noopener" property whenever you use target="_blank" in the anchor tag.

This issue was a hot topic some 4-5 years ago, many websites looked upon this issue and fixed it. And in my opinion this is not a very huge effort all you need to do is to just add an attribute. This will fix this loop hole in the web dev world.

This brings us to the end of this blog. I hope you liked it, please do let me know your thoughts in the comments section below.

Connect with me on LinkedIn

0 Comments