When teaching people how to avoid falling victim to phishing sites, we generally advise to carefully inspect the address bar to ensure that it is Is contain HTTPS and that it is not it contain suspicious domains like google.evildomain.com or substitution letters like g00gle.com. But what if someone finds a way to phish passwords using a malicious site that doesn’t contain these telltale signs?
A researcher has developed a technique to achieve this. He calls it a BitB, short for “browser within browser”. It uses a fake browser window inside a real browser window to spoof an OAuth page. Hundreds of thousands of sites use the OAuth protocol to allow visitors to log in using their existing accounts with companies such as Google, Facebook or Apple. Instead of having to create an account on the new site, visitors can use an account they already have, and the magic of OAuth does the rest.
Photo-editing site Canva, for example, offers visitors the option of logging in using one of three common accounts. The images below show what a user sees after clicking the “login” button; then the image shows what appears after choosing to sign in with a Google password. After the user chooses Google, a new browser window with a legitimate address opens in front of the existing Canva window.
The OAuth protocol ensures that only Google receives the user’s password. Canva never sees credentials. Instead, OAuth securely establishes a login session with Google, and when the username and password are verified, Google provides the visitor with a token that grants access to Canva. (Something similar happens when a buyer chooses a payment method like PayPal.)
The BitB technique capitalizes on this pattern. Instead of opening up an actual second browser window connected to the site that makes it easy to log in or check out, BitB uses a series of HTML and Cascading Style Sheets (CSS) tricks to convincingly spoof the second window. The URL that appears there can display a valid address, completed with a padlock and an HTTPS prefix. The layout and behavior of the window looks identical to the real thing.
A researcher using the mr.d0x handle described the technique last week. Its proof-of-concept exploit begins with a web page showing a painstakingly accurate Canva spoof. In the event that a visitor chooses to log in via Apple, Google or Facebook, the fake Canva page opens a new page that incorporates this looks like the familiar-looking OAuth page.
This new page is also a parody. It includes all the graphics a person expects to see when they use Google to sign in. The page also contains the legitimate Google address displayed in what appears to be the address bar. The new window behaves much like a browser window if it was connected to a real Google OAuth session.
If a potential victim opens the fake Canva.com page and tries to sign in with Google, “it will open a new browser window and go to [what appears to be] the accounts.google.com URL,” mr.d0x wrote in a post. In fact, the fake Canva site “does not open a new browser window. It looks like a new browser window has been opened, but it’s just HTML/CSS. Now this fake popup sets the URL to accounts.google.com, but that’s an illusion. »
Malvertisers: please don’t read this
A fellow security researcher was impressed enough with the demonstration to create a YouTube video that more clearly shows what the technique looks like. It also explains how the technique works and how easy it is to implement.
The BitB technique is sufficiently simple and effective to make it surprising that it is not better known. After mr.d0x wrote about the technique, a small chorus of fellow researchers commented on how likely it would be for even more experienced web users to fall for the trap. (mr.d0x has made proof-of-concept models available here.)
“This browser-in-browser attack is perfect for phishing,” said one developer. wrote. “If you are involved in malicious advertisements, please do not read this. We don’t want to give you any ideas.
“Ooh that’s mean: Browser In The Browser (BITB) Attack, a new phishing technique that steals credentials that even a web professional can’t detect,” another person noted.
The technique has been actively used in nature at least once before. As reported by security firm Zscaler in 2020, crooks used a BitB attack to attempt to steal credentials from the video game distribution service Steam.
While the method is compelling, it has a few weaknesses that should give knowledgeable visitors a surefire way to detect that something is wrong. The actual OAuth or payment windows are actually separate browser instances from the main page. This means a user can resize and move them anywhere on the monitor, including outside of the main window.
BitB windows, on the other hand, are not a separate browser instance at all. Instead, they are images rendered by custom HTML and CSS and contained within the main window. This means that fake pages cannot be resized, fully maximized, or moved outside of the main window.
Unfortunately, as mr.d0x pointed out, these checks might be difficult to teach “because now we’re moving away from the standard advice to ‘check the URL'”. “You are teaching users to do something they never do.”
All users must protect their accounts with two-factor authentication. Another thing more experienced users can do is right click on the popup page and choose “inspect”. If the window is a BitB spawn, its URL will be hard-coded into the HTML.
It wouldn’t be surprising to see the BitB technique gain more widespread use, but the reaction mr.d0x received demonstrates that many security advocates are unaware of BitB. And that means many end users aren’t either.