Think of a regular day at work.Fixing some bugs, adding some new features to your web application. Some changes may be very sophisticated, some pretty easy.

​

You sip your morning coffee ☕ and your Client or Product Owner says:
​

- "Reader, can you open this link in a new tab?".

​

You say - "Sure!" and immediately add target="_blank".

​

​

And here is where the problem begins. 💀

​

someapp.com can TAKE CONTROL over your application! ‍😈

​

- "Bartosz? What are you talking about?!"

​

Let me explain. 👽 The newly opened tab with someapp.com can access window.opener property that points to the application that opened it (your app!).

This may lead to several consequences:

​

1. Stealing cookies - as simple as calling window.opener.document.cookie
2. Manipulating the DOM - window.opener.document can be just mutated in any way
3. Fishing attack - Changing the loaded website in the original tab (without the user even knowing it) is as simple as window.opener.location = "https://fishing-site.com" . This website may mimic your website and ask for a login and password.

​

- "Oh sh*t! This is a serious issue! How to prevent this?"

​

- "Just use rel=noopener in your links" as below.

​

This will result in window.opener being null and none of the listed attack vectors could be possible. 👏

​

A reflection on this?

​

Hmm... I like to say that there are two kinds of lack of knowledge: aware and unaware. You might not know something and be aware of that fact (the fact that you don't know). But if you are not aware that you don't know... - You don't know what you don't know - that is the pathway to a disaster. Not only in your professional life, but also private life.

​

What I mean by that is it's always better to assume an unaware lack of knowledge, so that you always dig deeper (instead of assuming that you know your unknowings).

​

Rate this email:

​GREAT 😃 | OKEY 😐 | BAD 😟

​

That's all, my friend,
Bartosz