What is the new browser-in-the-browser (BitB) attack?

Anton P. | July 14, 2022

Browser-in-the-browser (BitB) attack compromises a common single sign-on method when you use Google or Facebook to join a service. It is a quick and convenient way to create a new account without generating another set of credentials. However, the new BitB threat exploits single sign-on authentication by presenting fake browser login windows instead of legitimate ones. 

The goal is to phish credentials for services like Facebook, Google, Microsoft, Steam, etc. The BitB trick is practically unnoticeable by users, convincingly fabricating the legitimate sign-on pop-ups. However, there are ways to steer clear of browser-in-the-browser attacks and protect your credentials. 

bitb

What is a single sign-on (SSO) authentication method? 

Single sign-on (SSO) authentication is available on many popular websites. You can notice it when logging/signing in to the service as the “Sign up with Facebook/Google” option. 

Here is an example from a standard sign-up page: 

single sign in method

It saves time as all information from Google or Facebook accounts gets used on the new service. The new site you join does not receive your Google or Facebook passwords. 

SSO does have security benefits if services operating this option have correctly configured the process. Besides a possible faulty setup, SSO could be vulnerable due to reused credentials. If the go-to account gets compromised, all other linked accounts are in danger. 

Therefore, experts recommend improving login processes with password managers instead. Then, users get to store all unique passwords safely. Additionally, there is no need to rely on external sources to handle SSO appropriately. 

What is a browser-in-the-browser (BitB) attack? 

A security researcher named mr.d0x recently explored the browser-in-the-browser attack, the nearly undetectable way of capturing credentials. This new password theft method makes use of SSO and simulates a browser window. 

Essentially, the attack presents a fraudulent pop-up requiring the SSO credentials. So, instead of providing Facebook or Google passwords to a reliable entity, you are handing them to hackers. 

Thanks to the modern capabilities of HTML, CSS, and JavaScript, it has become possible to display anything on a page. It also extends the opportunities for hackers or scammers to deceive users. So, browser-in-the-browser attacks mimic pages from different services (like Google) within their own fraudulent sites. 

How does the BitB attack work? 

Browser-in-the-browser attacks go through specific steps and procedures until they can harvest users’ credentials: 

  1. Hackers set the bait by creating a fraudulent website. It might be a clone of a popular site. However, it could also be unique, likely featuring incredible offers for goods, jobs, or quick money-earning opportunities. 
  2. If the fraudsters create clones of legitimate services, they will also try to mimic their websites’ addresses. Therefore, instead of Spotify.com, you might enter Spotify.co. Browser-in-the-browser attacks could also use DNS spoofing, phishing, or other techniques to lead users into compromised domains. 
  3. Attackers will try to make the fake website seem legitimate, be it a unique site or a cloned one. 
  4. If victims decide to sign up, they will notice options for signing in with Google, Facebook, or another service. 
  5. If users click on ‘Sign in with…’ options, they will not get redirected to Google or Facebook. Instead, the fake website generates its own login pop-up. 
  6. Browser-in-the-browser attacks can also trick users that hover over buttons or links before clicking them. 
  7. If users enter their credentials through the fake SSO windows, this information will not reach respectable entities. Instead, it goes straight to hackers behind the fraudulent page. 

Is browser-in-the-browser attack used in the wild? 

Yes, some browser-in-the-browser attacks have been noticed in the wild. In 2020, Zscaler reported it as a technique used to steal Steam credentials through several fake CS:GO skin websites. 

Google also wrote about similar attempts originating from Belarus. The researchers discovered browser-in-the-browser attacks used to steal credentials from users of domains like passport.i.ua. 

So, the browser-in-the-browser threat is not theoretical. Its nearly undetectable password harvesting makes it highly dangerous. Therefore, users must know how to protect themselves when using single sign-on options. 

How dangerous is the browser-in-the-browser attack?

Browser-in-the-browser attacks can be highly devastating if everything goes according to hackers’ plans. The primary condition for the attack to work is that users somehow land on the phishing domain. 

The attack will be futile if people do not sign up for unknown services or never open links in emails. However, DNS spoofing can compromise attempts to access legitimate services directly.

As a result, users could visit fraudulent websites without making any mistakes. Therefore, consider employing all possible safety precautions against browser-in-the-browser attacks, like flushing DNS cache

Defend accounts and passwords from browser-in-the-browser attacks

It is possible to protect against browser-in-the-browser attacks. We provide tips for recognizing fake login pop-ups and preventing them in the first place.

Signs of fake SSO browser windows

Here are some recommendations for determining whether a single sign-on pop-up is fake: 

  • The suspicious login windows look different from the authentic ones. Styling, fonts, or button placements might be off. 
  • The pop-up cannot go beyond the fraudulent website as it is bound to it. 
  • The fake window might not resize properly. 
  • If you use a password manager, it will likely refuse to fill credentials in a fraudulent pop-up. It is because the manager does not deem it trustworthy. 

Prevent browser-in-the-browser attacks

In addition to recognizing the simulated browser windows, you can adopt these strategies to safeguard accounts and passwords: 

  • An effective solution is disabling JavaScript in websites you visit. Some browser extensions let you decide which sites you trust to run JavaScript. 
  • Keep your credentials in a password manager. These applications are perfect for storing all passwords in a secure location. They can also suggest if a login pop-up is a part of a browser-in-the-browser attack. 
  • Set two-factor authentication on all possible accounts. To the very least, apply 2FA on accounts used in a single sign-on method. That includes popular options like Google, Facebook, and Microsoft. 
  • Be picky about when to use the single sign-on method. SSO might be convenient, but do not overuse it. The safer option is going through the standard sign up process and adding credentials to password managers. 
  • Double-check the URL of the website you have visited. Before performing anything on visited websites, ensure the address is correct. It should also include the security padlock, indicating a site uses HTTPS
  • Use a VPN to encrypt traffic and block access to suspicious sites. Atlas VPN scrambles online traffic, making it unreadable to entities attempting to snoop. Additionally, our Tracker Blocker feature can block access to websites known as suspicious. Therefore, it could terminate access to phishing sites involved in browser-in-the-browser attacks.
Browse safely & anonymously with a VPN

Browse safely & anonymously with a VPN

Encrypt your internet traffic and defend against online snooping, hackers, governments, or ISPs.
Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.

Tags:

browserssodns spoofingpasswords

© 2022 Atlas VPN. All rights reserved.