Keith Collins | Quartz | September 28, 2016 | 0 Comments

Facebook and Twitter Are Exposing Users to Phishing Attacks By Opening Links in New Windows


Anyone who’s used the internet knows that when you click a link on a web page, one of two things may happen. The link may load right there in your current tab or window, or it may open in a new one.

Websites that don’t want you to leave, like Facebook and Twitter, tend to opt for the latter. And since people generally don’t want to lose their place on their social media feeds, this functionality has come to be expected.

But that minor convenience comes with a glaring security hole. When a user clicks a link and it automatically opens in a new tab or window, that newly-opened page has some access to the source page that the user clicked from. That access is limited, but it’s enough to force the original page to load an entirely different website.

So imagine you click a link on Facebook and it opens in a new page. You look at that page for a few minutes, then close it and go back to your Facebook tab. Oddly, Facebook says you’ve logged out, and presents you with a login page. It seems strange, but you’ve had Facebook open in this tab all day, and don’t have much reason to be suspicious. You enter your login credentials, and you’ve just been phished. The page you’ve logged onto isn’t Facebook, but rogue website.

It’s a slightly more sophisticated version of the email phishing scams everyone knows to avoid. “Click this link to claim your cash prize,” etc.

The vulnerability exists because Facebook and Twitter insert thetarget="_blank" attribute into their hyperlink code, which is the common method for making links open in new pages. The full hyperlink HTML looks like this:

<a href="//" target="_blank">Quartz</a>

Developer Ben Halpern pointed out on his website earlier this month that the issue could be fixed by inserting the rel="noopener" attribute into a hyperlink that uses target="_blank", so it would look something like this:

<a href="//" target="_blank" rel="noopener">Quartz</a>

“I believe that the majority of websites do not deal with this issue properly,” Halpern said on his blog. Inserting the additional attribute allows the page to open in a new tab, but prevents it from accessing the original page.

To demonstrate how easily a malicious developer could hijack a page that opened a link in a new tab, Halpern set up a page that would do just that (but without all the identity theft).

To see it in action, just follow these instructions from Halpern’s site. We’ve checked this process to ensure safety, but do remember to remain vigilant all the same.

  1. Visit The Practical Dev Facebook page.
  2. Click the link in the profile. This opens a new tab or window.
  3. Observe that the original tab has migrated to this page.

*Facebook and Twitter did not respond to requests for comment (*see update below). It’s worth noting that when Halpern first published his blog post, he focused on Instagram, which at the time had the same vulnerability. Instagram has since fixed the issue.

Update: After this story was published, Facebook got in touch with us and explained some of the technical challenges behind fixing this security hole. While the rel="noopener"fix may work for some web browsers, a spokesperson said, it would also block the referral information that lets websites know where their traffic is coming from. So rather than implement that solution, the spokesperson said, Facebook uses rate-limiting to keep hackers from phishing users en masse, and monitors suspicious activity. That won’t stop websites from exploiting the vulnerability on a small scale, however, or keep hackers from targeting individuals.


Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.