Browser-in-the-Browser attacks can deceive even experienced users.

apoc.famine Ars Technica’s report shared: Used by hundreds of thousands of sites OAuth protocol Let your visitors log in using their existing accounts with companies like Google, Facebook, or Apple. Visitors can use an account they already have without having to create an account on the new site. The magic of OAuth takes care of the rest. that much In-browser (BitB) technology Take advantage of this plan. Instead of opening a second browser window that links to a site that facilitates login or payment, BitB uses a set of HTML and Cascading Style Sheet (CSS) tricks to: Convincingly spoof the second window. URLs appearing here can display valid addresses with a padlock and HTTPS prefix. The layout and behavior of the window appears as in the real world.

While this method is convincing, it has some drawbacks, which should provide a reliable way for a savvy visitor to detect that something is wrong. A genuine OAuth or checkout window is actually a separate browser instance distinct from the main page. This means the user can resize and move it anywhere on the monitor, including outside the main window. In contrast, the BitB window is not at all a separate browser instance. Instead, it is an image rendered with custom HTML and CSS and embedded in the main window. This means that the fake page cannot be resized, fully maximized, or dragged outside the main window. All users must secure their accounts with two-factor authentication. Another thing experienced users can do is right-click on the pop-up page and select “Inspect”. If the window is BitB generated, that URL is hardcoded into HTML.

Browser-in-the-Browser attacks can deceive even experienced users.

Source link Browser-in-the-Browser attacks can deceive even experienced users.

Back to top button