A tabnabbing attack takes place when a user leaves an innocuous-looking malicious tab unfocused. Tabnabbing is different from traditional phishing since it exploits trust placed in a previously opened tab, whereas phishing simply tries to mislead the user. Our evaluation of TabShots consists of three parts. First, we discuss how TabShots effectively protects against all tabnabbing attacks. Second, we discuss the performance impact of TabShots. The third part elaborates on the setup and results of an experimental compatibility study using Alexa’s 1,000 most popular sites.
The security guarantees offered by TabShots follow directly from its design. We recapitulate the three most important security properties here:
- zero false negatives
- user-friendly and clear overlay
- secure toolbar indicator
TabShots cannot miss a tabnabbing attack by design, since it visually captures screenshots from a tab and compares them. In order for a tabnabbing attack to occur undetected, it has to ensure that the screenshots before and after losing focus are identical, meaning the page did not change while out of focus. This case is considered a classic phishing attack, and not a specific tabnabbing attack. Second, TabShots injects an overlay of the focused tab, indicating which parts of the page have changed since its last focus. Using mutation events, TabShots detects if a malicious page actively tries to remove the overlay, and notifies the user with a strong security message. Third, TabShots also adds an icon to the browser toolbar. Using a three-level color indication system, it notifies the user of how much a tab did change. The strength of this toolbar icon is that it runs in the context of the add-on, and is completely out of reach to any page-specific code. This effectively prevents any manipulation by a malicious page.
In order to prevent tabnabbing attacks, TabShots must be capable of warning the user of any changes before she enters any sensitive information. Furthermore, since TabShots’s algorithm is executed when a user switches tabs, it is crucial that there is no noticeable performance impact. The performance measurements and analysis of the main algorithm discussed below, show that TabShots succeeds in quickly processing the captures and warning the user of any changes that occurred.
One important advantage of TabShots is that it fully operates in the background, without any blocking impact on any browser action or processing. When a user switches tabs, TabShots will perform the following steps:
- Capture a screenshot of the newly focused tab
- Cut the previously captured image of this tab (before it lost focus) into tiles
- Cut the newly acquired screenshot into tiles
- Compare the tiles of both screenshots and mark the differences
- Inject the calculated overlay into the page and update the TabShots icon
For a browsing window with a resolution of 1366×768, the most common resolution at the time of this writing, TabShots is capable of performing these steps within an average time of 284ms after receiving the browser event fired by switching tabs. Note that of these 284ms, 160ms are consumed by browser APIs, which are out of our control. Currently, a large chunk of time is consumed by the comparison algorithm, which is a pixel-by-pixel comparison of each tile. The time used by this algorithm is strongly correlated to the number of changes within a page. If a difference between tiles is detected at the first pixel, there is no need to check the remaining pixels.
Consequently, if a tabnabbing attack occurs, a lot of changes will be detected and TabShots’s algorithm will perform even faster. The table presents the number of milliseconds spent on comparison on our testing pages, where we use a div to change a certain percentage of a page, clearly showing the correlation between the amount of changes and required processing time.
Overall, one can see that TabShots is efficient enough to prevent tabnabbing attacks before the user discloses her credentials to the phishing page and without a negative effect on the user’s browsing experience. Moreover, if TabShots were to be implemented directly within the browser instead of through the browser’s add-on APIs, we expect that its overhead would be significantly lower.
Apart from the security guarantees offered by TabShots, its compatibility with existing sites is another important evaluation criterion. When using nonmalicious Web applications, the number of changes detected by TabShots, i.e. false positives, should be limited, even though the user can quickly determine whether a change is legitimate or not. To determine the compatibility with current Web applications, we ran TabShots on the top 1,000 Alexa sites. Each site was loaded in a separate tab, and captured before and after it lost focus. These two captures were compared and analyzed for the number of changed blocks. Through our preliminary experimentation with TabShots, we discovered that a 10×10 tile size strikes the desired balance between performance and precision. Smaller tiles would incur extra overhead, since as the number of tiles increases, so do the checks between the old versions and the new ones, without a distinguishable improvement in pinpointing the modified content.
The table shows the results for the top 20 sites, and the Figure shows a histogram of the entire top 1,000, grouped by integer percentage values. The results show that 78% of sites fall within the safe threshold of less than 5% changed blocks, meaning there are no compatibility issues here. About 19% of sites have moderate changes, but still less than 40%. Manual verification shows that these changes are mainly caused by changing content such as image slideshows or dynamic advertisements. A typical example of an overlay of a dynamic advertisement is shown in Figure. Finally, 3% of sites have more than 40% of changed blocks, which seem to be caused by changing background graphics.
Note that even though certain sites have a high number of changed blocks, TabShots never interferes with a page, preventing any loss of functionality. If desired, a user can easily whitelist known trusted sites, to prevent needless overlaying of changed content. Additionally, a future extension of TabShots can incorporate a learning algorithm to identify dynamic parts of a site while the tab is in focus, which reduces the number of false positives.
The automated analysis gives a good idea of the impact on Alexa’s top 1,000 but is unfortunately not able to cover the authenticated parts of the sites. Therefore, we also tested the impact of TabShots on the daily use of several highly dynamic Web applications, for example, social networking applications (e.g. Facebook, Twitter) and Webmail clients (e.g. Gmail, Outlook Web Access). One noticeable effect is that the addition of a single element can cause a shifting of content within a page, which is currently flagged as a major change by the comparison algorithm. In future work, we can implement a comparison algorithm that detects such shifts and only marks the newly added content as a change.
Screenshot of a typical dynamic advertisement being recognized by TabShots.