An information security researcher using the pseudonym Mr.d0x described a new browser-in-the-browser (BitB) attack. A new way to steal login credentials simulates browser pop-ups from Google, Microsoft and other authentication service providers that ask for a username and password.
Services such as Google Sign-In will display the Google URL on the navigation bar of the pop-up window, convincing the user of the security of the authentication process. And bypassing these protections built into the user’s browser is difficult due to the lack of vulnerabilities and the presence of content security policies.
Nevertheless, there are methods such as clickjacking or user interface correction that change the appearance of browsers and web pages in order to deceive people and circumvent security measures. A clickjacking attack can, for example, embed a transparent element on top of a page button so that a user action is intercepted by a criminal.
The BitB attack extends this method by creating a completely fake browser window, including trust signals such as a closed lock icon and a known (but fake) URL. This method makes phishing more effective. Victims will still need to visit a compromised or malicious website for a pop-up to appear, but after that they are more likely to provide the fraudster with their credentials.
There are limitations to this approach. Although it allows you to deceive a person, it is unlikely to be able to deceive other software. Password managers, for example, won’t automatically enter credentials into the BitB window because they won’t see it as a real browser window.