MSE FAULT - Links open in current tab instead of a new tab - action required

pate-ci0

Here's an explanation of a security risk, to do with opening a link in a new tab, which may be the cause of the current situation:

https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

robbies_gal

thanks matty does it interfere with other sites/settings

will give it a try

moonshine

I still think it needs putting back to how it was. I'm sure the so called risk is minimal and as this (not opening a new tab/window) doesn't happen on other sites, I really can't see the need for such paranoia here.

100mg

mattytun wrote: »

Ok, I've downloaded an "Add-on" for Firefox called "open link in new tab" and at the moment its working ok.

Thanks for that. Works well. Right PITA before.
As if target="_blank" is a security risk.

I've been using target="_blank" for the past 25 years to stop users deviating from my websites when they click on a link. No complaints of security breaches so far.

One-Eye

If target="_blank" is such a security risk then:

1) Why do "Martin's Twitter" and "MSE's Twitter" and all the links therein on the RHS of the forum still use it a week after the change to the forum was implemented?

2) Why have MSE not trawled through the forum and changed the links in every post created before 11am 03/10 to remove it?

If you study the background on the theoretical vulnerability caused by target="_blank" then it is a massive overreaction to disable it. In security terms, if allowing members to post links on the forum is akin to walking down the middle of a motorway, then disabling target="_blank" is like only allowing you do it facing the oncoming traffic. It also appears to me that the theoretical vulnerability can be easily eliminated with a few lines of code so the usefulness of target="_blank" can be retained.

mattytun

robbies_gal wrote: »

thanks matty does it interfere with other sites/settings

will give it a try

No it is working ok at the moment.

Ive only been using it on MSE so once i log out i just disable it;)

Mista_C

If you really must have links open in a new tab then for now you can use the old skool method of holding down CTRL while clicking the link.

rugmaker

Mista_C wrote: »

If you really must have links open in a new tab then for now you can use the old skool method of holding down CTRL while clicking the link.

There are various ways around it on a laptop or PC, but it's more dificult on a phone or tablet.

It would also have been nice for MSE to tell us about the change in advance or at least respond promptly when it was reported as a fault. If the website for a bank or rail company had handled a change like this, they would doubtless have been panned for poor customer service.

esuhl

pate-ci0 wrote: »

Here's an explanation of a security risk, to do with opening a link in a new tab, which may be the cause of the current situation:

https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

Riiiight... So a malicious site could cause the previously opened MSE tab to redirect to a fake/malware/phishing site...?

Have I understood that right...?

Surely that would be due to bad coding in the web browser...? Is that right? Does it affect all browsers?

esuhl

100mg wrote: »

I've been using target="_blank" for the past 25 years to stop users deviating from my websites when they click on a link. No complaints of security breaches so far.

I'm no pro, I'd never heard of this issue before. Strange. It sounds like the kind of thing for which there would be a very quick/simple patch.