When we teach people how to avoid falling victim to phishing sites, we often recommend that you check the address bar closely to make sure. do contains HTTPS and it are not contains suspicious domains like google.evildomain.com or alternative letters like g00gle.com. But what if someone finds a way to do password fraud using a malicious website that doesn’t contain these telltale signs?
A researcher has devised a technique to do just that. He calls it BitB, which stands for “browser within a browser.” It uses a fake browser window inside the real browser window to fake the OAuth page. Hundreds of thousands of websites use OAuth protocol to allow visitors to sign in with their existing accounts with companies like Google, Facebook, or Apple. Instead of having to create an account on a new website, visitors can use the one they already have — and the magic of OAuth does the rest.
The Canva photo editing site, for instance, gives visitors the option to sign in with any of the three popular accounts. The images below show what the user sees after clicking the “login” button; then the image shows what appears after choosing to sign in with Google password. After the user selects Google, a new browser window with a legitimate address will open in front of the existing Canva window.
The OAuth protocol ensures that only Google receives the user’s password. Canva never sees the login information. Instead, OAuth securely establishes a login session with Google, and when the username and password are checked, Google provides the visitor with a token that grants access to Canva. (Something similar happens when shoppers choose a payment method like PayPal.)
The BitB technique makes use of this scheme. Instead of opening a genuine second browser window connected to a website that supports login or payments, BitB uses a series of HTML tricks and cascading style sheets (CSS) to fake the second window one by one. convincing way. The URL that appears there may show a valid address, complete with a padlock and an HTTPS prefix. Window layout and behavior look exactly like the real thing.
A researcher using the mr.d0x . handle technical description last week. His proof-of-concept mining began with a Web page showing a carefully crafted Canva spoof. In case a visitor chooses to sign in with Apple, Google or Facebook, the fake Canva page opens a new page embedding what look like the familiar look and feel of the OAuth page.
This new site is also a fake site. It includes all the images a person would see when using Google to sign in. This page also has a legitimate Google address displayed in the address bar. The new window acts like a browser window if connected to a real Google OAuth session.
If a potential victim opens a fake Canva.com page and tries to log in with Google, “it will open a new browser window and access [what appears to be] URL account.google.com,” mr.d0x wrote in a message. In fact, the fake Canva page “didn’t open a new browser window. It makes it look like a new browser window is opened but it’s just HTML/CSS. Now that fake window sets the URL to account.google.com, but that’s an illusion. “
Malicious Advertisers: Please Don’t Read This
A fellow security researcher was impressed enough by the demonstration to create a YouTube Videos that shows what the technique looks like more vividly. It also explains how the technique works and how to do it easily.
The BitB technique is simple and effective enough that it is surprising that it is not known more. After mr.d0x wrote about the technique, a small group of researchers commented on the possibility that even more experienced Web users would fall for the trick. (mr.d0x provided proof of concept patterns this.)
“This in-browser attack is perfect for phishing,” a developer Written. “If you are involved in malicious advertising, please do not read this section. We don’t want to give you ideas”.
“Oh, that’s annoying: The In-Browser Browser (BITB) attack, a new phishing technique that allows login credentials to be stolen that even a web expert can’t detect,” he said. another person speak.
This technique has been actively used in nature at least once before. Like security company Zscaler report in 2020Scammers used a BitB attack in an attempt to steal the login credentials of the video game distribution service Steam.
While this method is convincing, it has a few weaknesses that give savvy visitors an easy way to spot something amiss. Genuine OAuth or payment windows are in fact separate browser instances that are different from the main page. That means users can resize and move them anywhere on the screen, including outside the main window.
In contrast, the BitB window is not a separate browser instance. Instead, they are images rendered with custom HTML and CSS and contained within the main window. That means dummy pages cannot be resized, fully maximized, or dragged outside the main window.
Unfortunately, as mr.d0x pointed out, these tests can be difficult to teach “because we’re now removing the standard “URL check” advice. “You’re teaching users to do something they never did.”
All users should protect their accounts with two-factor authentication. Another thing experienced users can do is right click on the page that pops up and select “inspect”. If the window is a BitB spawn, its URL will be hard-coded to HTML.
It should come as no surprise to see that the BitB technique has become more widely used, but the reaction mr.d0x received proves that many security defenders are unaware of BitB. And that means many end users don’t either.