"Target Blank" hack: Facebook, Twitter have been vulnerable to a massive exploit for years

Impact

Hackers access hidden information with some of the most complicated techniques available. But sometimes the most successful hacks are simple tricks hidden in plain sight, where you'd least expect them.

A widespread vulnerability, brought to Mic's attention by New York-based developer Ben Halpern, allows hackers and online scammers to bait you with a link, then use it to hijack the browser tab you're on to redirect you wherever they choose. You might not even notice.

It's called the target="_blank" vulnerability. Target Blank looks like a normal link you might see on Facebook. Click or tap the link, and a new tab opens that contains the site you were looking for — nothing unusual there. 

The original tab — Facebook.com, for instance — is the one affected. The attackers can change it to whatever they want while you're not paying attention, like a magician's sleight-of-hand trick.

Don't worry, the mobile apps you're using are safe. It's your browser that's vulnerable. Many websites simply fail to defend themselves from it.

Twitter.com is affected (but just when you're using Safari). Facebook.com, too, regardless of the browser. And many more: Target Blank affects an untold number of sites across the internet that aren't specifically watching for it, including this one — we've provided a demonstration later.

It's also been around for a while. Halpern told Mic over the phone that Target Blank has been a widely known vulnerability for years in the development community, especially nefarious when used on social networks or online forums where malicious attackers can post whatever links they want. Few, however, thought that a giant like Facebook would be so susceptible.

Where the real danger lies: Let's say the hacker changed the original tab to a fake Facebook.com login page. Glance back at the original and you might think you've just been logged out, so you hastily type in your login info. Once the hacker has your Facebook password, they can access any other account where you've used the same password. (This is one of the most common ways of hacking someone).

But perhaps the most ominous aspect of Target Blank is that Facebook might not realize it's being used to gain access to users' accounts. This isn't an attack on Facebook's servers — it's all happening at the browser level.

Jack Smith IV

Fixing the problem: Halpern says it's an easy exploit to stop, but it has to be done by the websites themselves. 

For simpler sites, fixing it means adding the simple attribute rel="noopener" to the code. Halpern suspects this is how Instagram patched up the vulnerability after he blogged about it last week. But in more complicated posting mechanisms like Facebook's, which is more than a decade into its development, it can be a daunting project.

A Facebook representative told Mic, "We're already in touch with the browsers to help them get this fixed. In the meantime, we have the ability to block a URL or domain if we detect abuse."

"The basic prevention tactic is pretty damn basic if you've thought about it from the start of development," Halpern told Mic. "But it hasn't been treated as a true exploit, because it's behavior you could easily prevent against. It's technically known, but in developer circles, it's very underestimated." (We also reached out to Twitter for comment and will update this post if we hear back.)