Browser-in-the-Browser Attack Makes Phishing Nearly Invisible:
We've had it beaten into our brains: Before you go wily-nily clicking on a page, check the URL. First things first, the tried-and-usually-but-not-always-trueadvice goes, check that the site's URL shows "https," indicating that the site is secured with TLS/SSL encryption.
If only it were that easy to avoid phishing sites. In reality, URL reliability hasn't been absolute for a long time, given things like homograph attacks that swap in similar-looking characters in order to create new, identical-looking but malicious URLs, as well as DNS hijacking, in which Domain Name System (DNS) queries are subverted.
Now, there's one more way to trick targets into coughing up sensitive info, with a coding ruse that's invisible to the naked eye. The novel phishing technique, described last week by a penetration tester and security researcher who goes by the handle mr.d0x, is called a browser-in-the-browser (BitB) attack.
The novel method takes advantage of third-party single sign-on (SSO) options embedded on websites that issue popup windows for authentication, such as "Sign in with Google," Facebook, Apple or Microsoft.
But according to mr.d0x's post, completely fabricating a malicious version of a popup window is a snap: It's "quite simple" using basic HTML/CSS, the researcher said. The concocted popups simulate a browser window within the browser, spoofing a legitimate domain and making it possible to stage convincing phishing attacks.
"Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and [it's] basically indistinguishable," mr.d0x wrote. The report provided an image, included below, that shows a side-by-side of a fake window next to the real window.
[...] Thus does the BitB technique undercut both the fact that a URL contains the "https" encryption designation as a trustworthy site, as well as the hover-over-it security check.
(Score: 4, Insightful) by Gaaark on Wednesday March 23 2022, @04:31PM (5 children)
I'm guessing this wouldn't fool a password keeper (Lastpass, Keepass, etc): another reason to use them??
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 2) by vux984 on Wednesday March 23 2022, @06:33PM
It would not 'fool' a password keeper, because the icon for the your browser extensions are *extremely* unlikely to even be present and even less likely to be functional on the fake window. You could of course, use the password keeper in the 'parent' window to fill out the fake window (and you'd have to manually search for the credentials since the url detection wouldn't work of course -- but if your that determined to defeat yourself you will of course succeed)
(Score: 2) by FatPhil on Thursday March 24 2022, @12:14PM (3 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Gaaark on Thursday March 24 2022, @12:51PM (2 children)
You don't 'copy/paste' the password: the password keeper does the 'pasting' into pre-identified boxes on the log-in site of "ThisURL". It only supplies it for "ThisURL", not "thisUrL".
If idiot-boy does the copy/paste himself into "thisUrL" (i guess, thinking the password keeper isn't working?), then he has been pwned.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 2) by FatPhil on Thursday March 24 2022, @05:17PM (1 child)
If I want passwords memorised for me, I'd rather that was done by the browser itself, so it can stay purely internal, and how the data reaches the form fields never needs to be known to the outside world, such as the graphical environment. I don't want the information I want secure to be passed between different processes that can't authenticate each other. (Or can they? How? When browser development forks (e.g. firefox->palemoon), how does the password keeper know which one it's now allowed to paste into?)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Gaaark on Thursday March 24 2022, @09:56PM
I use KeepassXc and it stores the passwords on my machine. Firefox has a, what...module? or whatever...brain fart, that allows them to talk together. If palemoon has a module? they too could talk.
Therefore, it is all stored locally and just needs a browser add-on! Brain fart over!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 3, Touché) by maxwell demon on Wednesday March 23 2022, @05:00PM (7 children)
Good luck imitating the look of my highly customized browser.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 5, Insightful) by Rosco P. Coltrane on Wednesday March 23 2022, @05:24PM (2 children)
Good luck convincing me to do SSO with Google or Facebook. Not really worried about the browser-in-browser attack, just worried about Google and Facebook tracking where log on and when.
(Score: 2) by PiMuNu on Wednesday March 23 2022, @06:21PM (1 child)
Most organisations I work with now use Microsoft SSO
(Score: 0) by Anonymous Coward on Wednesday March 23 2022, @08:44PM
So it's important to delineate your work-life balance.
I work from home 4 days out of 5. I don't use my home login for work stuff.
Either buy a second machine or login as a different user during your lunch break to do your banking, check the headlines or whatever nefarious activities you get up to such as accessing soylent.
Using a VPN inside a virtual machine is a possibility but don't share your screen on your pr0n computer while on video chat!
(Score: 2) by NateMich on Wednesday March 23 2022, @08:07PM
I was thinking of my particular wayland compositors titlebars.
I suppose it will be like those popups that I used to get on my android phone with Windows 7 titlebars. It was pretty convincing...
(Score: 2) by krishnoid on Wednesday March 23 2022, @10:48PM (1 child)
One option is to add an extension that forces popups into a new tab [google.com]. Then if anything looks suspect, you have at least a little better sense that something funny is going on. Plus no random extra what-was-i-doing-when-this-appeared browser windows littering your desktop.
(Score: 2) by krishnoid on Wednesday March 23 2022, @10:51PM
Oh wait, these are popups that are rendered in the page itself. So still a problem, but having a plugin that forces new popups into a tab should make you suspicious of *any* separate-window popup you see.
(Score: 2) by Nobuddy on Thursday March 24 2022, @03:21PM
Not the point. Phishing works by volume. a .000000001% success rate is still profitable. Enough people use unmodified browsers for this to work.
(Score: 2) by tangomargarine on Wednesday March 23 2022, @06:18PM
Actually displaying the "http" part is so passé that no major browsers bother to do it anymore.
...Oh holy crap, something that Edge actually does right!
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 5, Informative) by jasassin on Wednesday March 23 2022, @07:09PM (1 child)
Tl;dr
If you want to use SSO, move the login window up over the address bar. If it can’t cover the address bar (it can’t leave the window it’s in) it’s bogus.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 3, Informative) by FatPhil on Thursday March 24 2022, @12:27PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 5, Interesting) by Anonymous Coward on Wednesday March 23 2022, @08:07PM (4 children)
Everything they laid out in the 2009-2013 period has come to pass. I was even complaining about this particular vuln (yes, its a vuln) before that, when Mozilla moved the status bar URL link display to the page canvas. A browser GUI should never do anything password or URL related on the page canvas, and should not normalize it as part of UX.
Qubes' recommendation is to choose a unique color/skin for your window borders & also use a window grey-out option (non-foreground windows are greyed or faded). In Qubes, even if the browser was locally exploited before the malicious prompt and malware could detect window manager settings, the attack would still fail because the real wm is rendered separately by the admin VM.
UIs require context + visual encapsulation of certain elements in order to be secure. Enforcing that context + encapsulation with a tightly configured hypervisor (or microkernel) makes it close to bulletproof (but I digress, Qubes calls this "reasonably secure").
With that said.... This particular exploit isn't as bad as it seems. Part of online security is trusting the party you're communicating with (after looking at HTTPS status + domain name), and _competency_ is part of that trust. If the service failed to repel an attack of their own website (or used a third-party library that was vulnerable) there is not much anyone can do.
(Score: 2) by FatPhil on Thursday March 24 2022, @12:19PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Insightful) by crafoo on Thursday March 24 2022, @02:20PM (2 children)
I see UI design more as a non-consensual puzzle game. Grey text on grey-blue backgrounds. Is the text a clickable button? Is it just text? Who knows! Text will have 1.5 miles of whitespace between any other text or UI element. With tastefully placed cryptic arrangements of stylized "modern takes" on iconography: nothing but random arrangements of vertical and horizontal bars that may or may not be interactive.
For instance, let's take the menu system. Let's collapse it into a "button" that has no definable shape or border. It's just 3 small, stacked horizontal lines. Let's put it on the _right_ side of the window, and kinda, just bury it among some random trash. I've asked around among Zoomers. This button is officially titled, "The Hamburger".
I really do hope all UI designers lose their jobs and have to make rent working their local truck stop.
(Score: 0) by Anonymous Coward on Thursday March 24 2022, @04:26PM
smartphones were a mistake.
(Score: 2) by krishnoid on Thursday March 24 2022, @06:23PM
Do you want UI designers "designing" all the poor, tired truckers' hamburgers and related food items [mentalfloss.com] as well? Why would you wish something like that on them? That's just cruel.
(Score: 3, Funny) by Anonymous Coward on Wednesday March 23 2022, @08:11PM
Yo Dawg!
I heard you like browsing, so I put a browser in your browser so you can browse while you browse.