Reverse tabnabbing, also known simply as tabnabbing, is a form of phishing that involves deceiving a victim into entering login credentials on a fake website; a website that’s controlled by a cyber attacker. While there are numerous types of online attacks that leverage fake web pages to steal user information, tabnabbing distinguishes itself through a distinct and cunning approach.

The severity of the corresponding tabnabbing fallout is highly dependent on which types of credentials an attacker manages to obtain. However, safeguarding browsers from these types of attacks is relatively easy. This article aims to provide an overview of what tabnabbing entails and how to prevent it.

The anatomy of a tabnabbing attack

  1. Imagine that you have a website open in a tab on your browser. In this example, let’s assume that you’re on LinkedIn. You log onto the site and observe that someone has sent you a message about a new professional development course that sounds exciting.
  2. You click on the link. You’re directed to a website with an in-depth description of the offer. The website is owned by an attacker.
  3. While you’re exploring the course curricula, the malicious site forces a redirect of the original LinkedIn tab to a fake cloned website (controlled by the attacker, of course) that looks identical to LinkedIn’s regular login page.
  4. The fake login page prompts you to re-enter your credentials. Although you know that you’ve already logged into LinkedIn, there’s a fair chance that you (or anyone else unlucky enough to experience this type of attack) will simply retype the credentials, thinking that a minor technical glitch may have occurred. After all, such glitches are relatively common.
  5. If you end up entering your credentials into the fake website, you’ve just handed your credentials over to an attacker, compromising your LinkedIn account.

The technical dimension of tabnabbing

Tabnabbing is possible on websites that allow users to post links that, when clicked, open in a new tab. A link opens in a new tab due to the link’s target=”_blank” property.

When a victim clicks on a link crafted with target= “_blank,” the web browser injects two variables into the destination page:

  • opener
  • referrer

The source web page (on which the link was clicked) is stored via window.referrer. The window.opener property returns a reference to the parent window (window that opened the window), with target=”_blank” property. An attacker can use the window.opener property from the destination window to gather the details for and operate changes to, the parent window, such as redirecting the victim’s original open tab to a phony page that requests a victim’s credentials.

Tabnabbing in the wild

In 2017, news outlets reported that a Russian hacking group launched cyber attacks against French presidential candidate Emmanuel Macron and his campaign staff. Techniques used included, as you might expect, tabnabbing.

How to prevent tabnabbing

To guard against tabnabbing attacks, the method to employ is contingent upon the position that you occupy in the attack – either the server-side or the user-side. We’ll explore both situations.


Preventing tabnabbing from the server-side is a relatively straightforward process. Nonetheless, there are two approaches to implementing this protection; contingent upon whether your website utilizes HTML or JavaScript to launch new windows.

    • HTML: In HTML, set the re1 HTML attribute with the noreferrer and noopener parameters whenever the web server/application creates links.noopener ensures that the linked page can’t access window.opener from the source page. At the same time, noreferrer ensures that the request referrer header is not sent along with the request. In turn, the destination site does not recognize the originating URL that the user is coming from.
    • Javascript: Achieve the same outcomes as described above by setting the opener property to null. If showing user-generated content, you should also ensure that the server sanitizes the user input and applies “noopener, noreferrer” to every generated link.


For users, the crux of protecting against tabnabbing attacks rests on adhering to fundamental security measures that are applicable to nearly any online endeavor. These security measures include:

    • Use of a firewall. All major operating systems have a built-in incoming firewall, while all commercial routers that are currently available on the market have a built-in NAT firewall. It’s imperative that people ensure that these protective measures are activated, as they may potentially shield the user in the event of a malicious link being clicked.
    • Exercise caution around pop-up ads. Avoid clicking on them, as their destinations are often unknown and may lead to potentially harmful consequences.
    • Pay attention to browser warnings. If a browser flashes a warning message when attempting to access a particular website, the message should not be ignored. As simple as it sounds, adhering to the guidance of one’s browser can serve as a safeguard against tabnabbing attacks.
    • Avoid clicking on advertisements. Instead, it pays to use search engines in order to locate desired information; a process that typically only requires a few extra seconds.
    • Limit personal information disclosure online. Carefully consider the necessity of any online information sharing. Determine whether information sharing is really necessary before proceeding with disclosure of details.


Tabnabbing is a malicious technique deployed by cyber criminals to hijack inactive browser tabs and to redirect users to fraudulent websites. This type of attack exploits the trust that individuals have in previously opened tabs, and it is imperative that users remain vigilant and take steps to protect themselves.

Take a proactive approach! Learn more about the latest cyber security threats here. Lastly, check out the CyberTalk.org newsletter! Sign up today to receive top-notch news articles, best practices and expert analyses; delivered straight to your inbox.