DEV Community

Cover image for The target="_blank" vulnerability by example

The target="_blank" vulnerability by example

Ben Halpern on September 11, 2016

Edit: We took the behavior to point out this flaw in Facebook because, even though interesting, it was getting to be annoying because Facebook was ...
Collapse
 
bblackwo profile image
Benjamin B

I just tried on Facebook, Instragram, and Twitter and they all seem to be fixed.

Collapse
 
mycatnamedweb profile image
gabriele • Edited

Not really... :)
steemit.com/security/@gaottantacin...

Affected browsers and social media platforms:
Chrome: Linkedin, ..
Chrome for Android: Facebook, ..
Edge: Facebook, Linkedin, Twitter, ..
Firefox: Facebook, Linkedin, ..
Opera: Facebook, Linkdein, ..
Safari: Facebook, Linkedin, ..

Collapse
 
shostarsson profile image
Rémi Lavedrine

That is brilliant post.
Very well explained. I didn't know that vulnerability.

This article has some real life examples.
And now you can imagine some really bad attack.
I redirect to a Facebook like website I own that said "You've been disconnected, please reconnect". And boom, you have the user password.
Just brilliant.

So it is just vital to add the noopener value.

Collapse
 
f763rod profile image
f763rod

Is this vulnerability only exploited on pages where users submit or upload information? The reason I'm asking, a site I'm assisting, uses target="_blank" on many pages but most of the pages are only displaying information and user's are not submitting or uploading content.

Collapse
 
ben profile image
Ben Halpern

It's only really a thing if you can't fully trust the pages you're linking out to. And as described, there are ways to mitigate this to a good extent.

Collapse
 
tomasdev profile image
Tomas

Not sure if they fixed it in all social networks, or dev.to doesn't have the opener script anymore. I've tried a jsbin but didn't work either.

Collapse
 
mst4fa profile image
Mustafa Ozcan

Is this vulnerability only exploited on pages where users submit or upload information?

Collapse
 
murroughfoley profile image
Murrough Foley

Surely this is fixed now?

Collapse
 
vccgenerator profile image
VCCGenerator

Thank you for sharing and explaining in detail. We'll make changes to the site.

Collapse
 
akuoko_konadu profile image
Konadu Akwasi Akuoko

Thanks Ben, literally a life saver