Facebook and Twitter Are Exposing Users to Phishing Attacks By Opening Links in New Windows

Anyone who’s used the internet knows that when you click a link on a web page, one of two things may happen. The link may load right there in your current tab or window, or it may open in a new one.

Websites that don’t want you to leave, like Facebook and Twitter, tend to opt for the latter. And since people generally don’t want to lose their place on their social media feeds, this functionality has come to be expected.

But that minor convenience comes with a glaring security hole. When a user clicks a link and it automatically opens in a new tab or window, that newly-opened page has some access to the source page that the user clicked from. That access is limited, but it’s enough to force the original page to load an entirely different website.

So imagine you click a link on Facebook and it opens in a new page. You look at that page for a few minutes, then close it and go back to your Facebook tab. Oddly, Facebook says you’ve logged out, and presents you with a login page. It seems strange, but you’ve had Facebook open in this tab all day, and don’t have much reason to be suspicious. You enter your login credentials, and you’ve just been phished. The page you’ve logged onto isn’t Facebook, but rogue website.

It’s a slightly more sophisticated version of the email phishing scams everyone knows to avoid. “Click this link to claim your cash prize,” etc.

The vulnerability exists because Facebook and Twitter insert thetarget="_blank" attribute into their hyperlink code, which is the common method for making links open in new pages. The full hyperlink HTML looks like this:

<a href="//qz.com" target="_blank">Quartz</a>

Developer Ben Halpern pointed out on his website earlier this month that the issue could be fixed by inserting the rel="noopener" attribute into a hyperlink that uses target="_blank", so it would look something like this:

<a href="//qz.com" target="_blank" rel="noopener">Quartz</a>

“I believe that the majority of websites do not deal with this issue properly,” Halpern said on his blog. Inserting the additional attribute allows the page to open in a new tab, but prevents it from accessing the original page.

To demonstrate how easily a malicious developer could hijack a page that opened a link in a new tab, Halpern set up a page that would do just that (but without all the identity theft).

To see it in action, just follow these instructions from Halpern’s site. We’ve checked this process to ensure safety, but do remember to remain vigilant all the same.

1. Visit The Practical Dev Facebook page.
2. Click the dev.to link in the profile. This opens a new tab or window.
3. Observe that the original tab has migrated to this page.

*Facebook and Twitter did not respond to requests for comment (*see update below). It’s worth noting that when Halpern first published his blog post, he focused on Instagram, which at the time had the same vulnerability. Instagram has since fixed the issue.

Update: After this story was published, Facebook got in touch with us and explained some of the technical challenges behind fixing this security hole. While the rel="noopener"fix may work for some web browsers, a spokesperson said, it would also block the referral information that lets websites know where their traffic is coming from. So rather than implement that solution, the spokesperson said, Facebook uses rate-limiting to keep hackers from phishing users en masse, and monitors suspicious activity. That won’t stop websites from exploiting the vulnerability on a small scale, however, or keep hackers from targeting individuals.