If you are building outbound links and using
target="_blank" to open clicks in a new browser tab, you may have a link phishing security issue.
As a digital marketing business, we want to help people find great content. That means we create lots of content and link to content. For example, we maintain a list of upcoming marketing conferences and marketing statistics.
Like many websites, for our outbound links, we use
target="_blank" in our link anchors. This opens the link in a new tab in the web browser. We do this for a couple of reasons, but the main one is that it keeps the visitor on our website and hopefully they’ll come back when they finish following the link they clicked.
However, when using this technique you can create a phishing vulnerability.
This link phishing vulnerability is not only dangerous, but it is something that a lot of content marketers don’t realize is happening.
How Do I Fix This?
I’ll explain how this link phishing vulnerability works, but if you just want the fix, add this to any links where you use
For example, let’s say you want to link to DailyStory’s list of upcoming marketing conferences (we would appreciate that). Of course, you want that link to open in a new browser tab. Here is what your link should look like in HTML:
<a href="https://www.dailystory.com/blog/best-marketing-conferences-2017/" target="_blank" rel="noopener noreferrer">List of Marketing Conferences in 2017</a>
When you add
rel="noopener noreferrer" to your link it protects you from this link phishing security vulnerability. Something every content marketer should care about!
It’s worth mentioning, that if you are using the latest version of WordPress it will do this for you automatically when you create a link in the rich editor and select ‘Open link in a new tab’:
How does this link phishing vulnerability work?
There are lots of great technical explanations of this problem. We’ll summarize and then walk through how the vulnerability could work.
It’s worth noting that the blogs linked to above all reference vulnerabilities in both Facebook and Instagram. Those are fixed.
The simplest explanation is that the newly opened tab, the one opened by your use of
target="_blank", gets some special rights and access to the tab that opened it.
Here is how the vulnerability works:
Someone visits your website and clicks on one of your links to read a blog you referenced, let’s call it “Some Great New Business Idea”. Because your link used
target="_blank" a new browser tab was opened. This new tab can access the tab that opened it.
“Some Great New Business Idea” is a page designed to exploit this vulnerability in the hopes that people will link to it ( a bit of a stretch, but work with me).
You finish reading “Some Great New Business Idea”, close the tab and see that Twitter wants you to sign back in. Unfortunately, you are now the victim of a phishing attack and have unknowingly given someone your Twitter login.
If you are using outbound links in your content marketing strategy, which most of us are. You need to make sure that you fix this so you don’t expose your readers and visitors to this link phishing vulnerability.