This is indeed tricky! How would one protect against it? You would have to train yourself to always look at the address bar. How can a page get so much access to client side information e.g. that it has been inactive for a while?
It’s useful in various types of applications. I use it in Pushover’s web client to know whether the tab is in the background and should generate a popup notification with sound, or just show the new message since the user is looking at the app. I’m sure other websites do the same, such as those chat-with-an-agent sites that will flash the tab title to let you know the support rep just said something.
This attack could work without those events, though. Just start a timer when the page loads and if it goes off in X seconds without detecting other mouse movements or keyboard input, assume you’re in a background tab or the user just locked the screen and swap out your content.
I just realized - if you have stored passwords and that’s what you use, you are less likely to be affected - when you are genuinely asked to relogin to an account, the browser autofills the password etc depending on the website. So, if you have stored passwords for a site you’ll notice something wonky when the password isn’t filled out.
When I’m redirected to a login form I retype the address in the url bar (typically autocomplete makes this fast). This is from paranoia that I’ll be hit some i18n domain spoofing attack at some point.
I thought it was weird how they didn’t mentioned about seeing this attack in the wild, he seems to have invented it and named it by himself.
This kind of attack once again shows how important our work is on the Firefox Account Manager
This article looks like it was written for the sake of advertising their extension.
Why is that weird? A lot of security problems are found that way and may get fixed in one browser but not another, or just lead to some helpful discussion. lcamtuf has found a lot of insane browser security things without seeing them in the wild (bad guys aren’t as smart), and announced them with a PoC.