
Insecure by default – hijacking websites that use target=“_blank” - obi1kenobi
http://devproving.com/blank-hijack/
======
nthitz
Previous discussion on the same vulnerability
[https://news.ycombinator.com/item?id=11631292](https://news.ycombinator.com/item?id=11631292)

------
Retr0spectrum
This is a nice demonstration, although I feel like it would be more useful to
show that it works across domains (Which IMHO is the most important part).

~~~
yeldarb
Does it actually work cross domain? That would really surprise me.

Edit: if I understand correctly this only allows the opened page to navigate
the opening page; it does not allow it to do anything else to the opener. Is
that correct?

~~~
aji
I don't know about the cross-domain case but on the same "domain" (file:
protocol) I used the following two HTML files

link.html:

    
    
        <a id="link" href="opener.html" target="_blank">Click</a>
    

opener.html:

    
    
        <script>window.opener.document.getElementById("link").href = "https://google.com";</script>
    

and sure enough the link was changed. If this works cross-domain, this is kind
of a big deal, isn't it?

~~~
Retr0spectrum
See this comment for a cross-domain demo:
[https://news.ycombinator.com/item?id=11631810](https://news.ycombinator.com/item?id=11631810)

It's a fairly big deal, but not much is being done about it on the browser
side of things. It can only really be used for phishing style attacks.

~~~
magicalist
you cannot access the opener's document as aji's example does cross origin

~~~
Retr0spectrum
Sorry, I didn't read the comment carefully enough.

I assumed we were still talking about window.opener.location (which can be
modified across domains)

------
milankragujevic
AFAIK, Many (pirate) websites now use this technique to hijack the previous
tab and show ads even if you have an adblocker, and open their links in new
tabs always.

------
Raphmedia
Can anyone explain how this works?

~~~
tinus_hn
The problem is that a document in a window opened by a link with
target="_blank" unexpectedly has a reference to the document that contains the
link, using the window.opener property.

This property has limited functionality but one of the things that are allowed
is redirecting the page to something else which is kind of unexpected.

The problem is not websites that use target="_blank", it's browsers that
refuse to fix this behavior because of some ill-defined compatibility issue
that appears to exist mostly in the heads of developers who don't want to work
on a fix.

