Example of exploit of the "target _blank" vulnerability

The vulnerability in this case is not exploited because steemit does not open by default the above link (and links in general) in a new tab.

Steemit though uses target _blank for many other links on their platform. That means that if any of those third party websites are compromised a phishing attack could be performed on the steemit webpage.

Feel free to download the script and try it locally simply changing the links to use a local path like "file:///C:/Users/your-username/Documents/test.html" and redirect to a fake login page like this:

See my previous bug report for details on this potential bug and common solutions: @gaottantacinque/steemit-minor-bugs-reporting

UPDATE:

Internet is a safe place!! (..not)

The attack does not work on Steemit. I tested it on all major browsers changing on client site the links that use target _blank to point to the page that redirects the original tab to a phishing page. The original tab (Steemit) was not redirected thanks to their use of noreferrer noopener in the links that use target _blank.

The problem though is that it works like a charm on all major social media platforms!
Posting something like the link above ( eg. https://mycatnamedweb.github.io/ ) as a facebook comment or post, the new opened tab is easily able to redirect the original tab into a phishing page.

Affected browsers and social media platforms:

• Chrome: Linkedin
• Edge: Facebook, Linkedin, Twitter (warning displayed for the latter)
• Firefox: Facebook, Linkedin
• Opera: Facebook, Linkdein
• Safari: Facebook, Linkedin, Twitter (warning displayed for the latter)
• ...