Keith Collins | Quartz | September 28, 2016 | 0 Comments

Facebook and Twitter Are Exposing Users to Phishing Attacks By Opening Links in New Windows


Anyone who’s used the internet knows that when you click a link on a web page, one of two things may happen. The link may load right there in your current tab or window, or it may open in a new one.

Websites that don’t want you to leave, like Facebook and Twitter, tend to opt for the latter. And since people generally don’t want to lose their place on their social media feeds, this functionality has come to be expected.

But that minor convenience comes with a glaring security hole. When a user clicks a link and it automatically opens in a new tab or window, that newly-opened page has some access to the source page that the user clicked from. That access is limited, but it’s enough to force the original page to load an entirely different website.

So imagine you click a link on Facebook and it opens in a new page. You look at that page for a few minutes, then close it and go back to your Facebook tab. Oddly, Facebook says you’ve logged out, and presents you with a login page. It seems strange, but you’ve had Facebook open in this tab all day, and don’t have much reason to be suspicious. You enter your login credentials, and you’ve just been phished. The page you’ve logged onto isn’t Facebook, but rogue website.

It’s a slightly more sophisticated version of the email phishing scams everyone knows to avoid. “Click this link to claim your cash prize,” etc.

The vulnerability exists because Facebook and Twitter insert thetarget="_blank" attribute into their hyperlink code, which is the common method for making links open in new pages. The full hyperlink HTML looks like this:

<a href="//" target="_blank">Quartz</a>

Developer Ben Halpern pointed out on his website earlier this month that the issue could be fixed by inserting the rel="noopener" attribute into a hyperlink that uses target="_blank", so it would look something like this:

<a href="//" target="_blank" rel="noopener">Quartz</a>

“I believe that the majority of websites do not deal with this issue properly,” Halpern said on his blog. Inserting the additional attribute allows the page to open in a new tab, but prevents it from accessing the original page.

To demonstrate how easily a malicious developer could hijack a page that opened a link in a new tab, Halpern set up a page that would do just that (but without all the identity theft).

To see it in action, just follow these instructions from Halpern’s site. We’ve checked this process to ensure safety, but do remember to remain vigilant all the same.

  1. Visit The Practical Dev Facebook page.
  2. Click the link in the profile. This opens a new tab or window.
  3. Observe that the original tab has migrated to this page.

*Facebook and Twitter did not respond to requests for comment (*see update below). It’s worth noting that when Halpern first published his blog post, he focused on Instagram, which at the time had the same vulnerability. Instagram has since fixed the issue.

Update: After this story was published, Facebook got in touch with us and explained some of the technical challenges behind fixing this security hole. While the rel="noopener"fix may work for some web browsers, a spokesperson said, it would also block the referral information that lets websites know where their traffic is coming from. So rather than implement that solution, the spokesperson said, Facebook uses rate-limiting to keep hackers from phishing users en masse, and monitors suspicious activity. That won’t stop websites from exploiting the vulnerability on a small scale, however, or keep hackers from targeting individuals.


Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.