Building outbound links? You may have a link phishing security issue

If you are building outbound links and using target="_blank" to open clicks in a new browser tab, you may have a link phishing security issue.

security phishing outbound links

As a digital marketing business, we want to help people find great content. That means we create lots of content and link to content. For example, we maintain a list of upcoming marketing conferences and marketing statistics.

Like many websites, for our outbound links, we use target="_blank" in our link anchors. This opens the link in a new tab in the web browser. We do this for a couple of reasons, but the main one is that it keeps the visitor on our website and hopefully they’ll come back when they finish following the link they clicked.

However, when using this technique you can create a phishing vulnerability.

This link phishing vulnerability is not only dangerous, but it is something that a lot of content marketers don’t realize is happening.

How Do I Fix This?

I’ll explain how this link phishing vulnerability works, but if you just want the fix, add this to any links where you use target="_blank":

rel="noopener noreferrer"

For example, let’s say you want to link to DailyStory’s list of upcoming marketing conferences (we would appreciate that). Of course, you want that link to open in a new browser tab. Here is what your link should look like in HTML:

<a href="https://www.dailystory.com/blog/best-marketing-conferences-2017/" target="_blank" rel="noopener noreferrer">List of Marketing Conferences in 2017</a>

When you add rel="noopener noreferrer" to your link it protects you from this link phishing security vulnerability. Something every content marketer should care about!

It’s worth mentioning, that if you are using the latest version of WordPress it will do this for you automatically when you create a link in the rich editor and select ‘Open link in a new tab’:

Prevent Link Phishing

How does this link phishing vulnerability work?

There are lots of great technical explanations of this problem. We’ll summarize and then walk through how the vulnerability could work.

It’s worth noting that the blogs linked to above all reference vulnerabilities in both Facebook and Instagram. Those are fixed.

The simplest explanation is that the newly opened tab, the one opened by your use of target="_blank", gets some special rights and access to the tab that opened it.

The newly opened tab can use JavaScript to access the opening tab and retrieve information from it.

Here is how the vulnerability works:

Someone visits your website and clicks on one of your links to read a blog you referenced, let’s call it “Some Great New Business Idea”. Because your link used target="_blank" a new browser tab was opened. This new tab can access the tab that opened it.

“Some Great New Business Idea” is a page designed to exploit this vulnerability in the hopes that people will link to it ( a bit of a stretch, but work with me).

JavaScript on “Some Great New Business Idea” can communicate with the browser tab that opened it and redirect it to a fake phishing page that looks like a Twitter login screen.

You finish reading “Some Great New Business Idea”, close the tab and see that Twitter wants you to sign back in. Unfortunately, you are now the victim of a phishing attack and have unknowingly given someone your Twitter login.

Bottom line

If you are using outbound links in your content marketing strategy, which most of us are. You need to make sure that you fix this so you don’t expose your readers and visitors to this link phishing vulnerability.