Browser-in-the-Browser Attack Can Trick Even Savvy Users

apoc.famine shares a report from Ars Technica: Hundreds of thousands of sites use the OAuth protocol to let visitors login using their existing accounts with companies like Google, Facebook, or Apple. Instead of having to create an account on the new site, visitors can use an account that they already have -- and the magic of OAuth does the rest. The Browser-in-the-Browser (BitB) technique capitalizes on this scheme. Instead of opening a genuine second browser window that's connected to the site facilitating the login or payment, BitB uses a series of HTML and cascading style sheets (CSS) tricks to convincingly spoof the second window. The URL that appears there can show a valid address, complete with a padlock and HTTPS prefix. The layout and behavior of the window appear identical to the real thing.

While the method is convincing, it has a few weaknesses that should give savvy visitors a foolproof way to detect that something is amiss. Genuine OAuth or payment windows are in fact separate browser instances that are distinct from the primary page. That means a user can resize them and move them anywhere on the monitor, including outside the primary window. BitB windows, by contrast, aren't a separate browser instance at all. Instead, they're images rendered by custom HTML and CSS and contained in the primary window. That means the fake pages can't be resized, fully maximized or dragged outside the primary window. All users should protect their accounts with two-factor authentication. One other thing more experienced users can do is right click on the popup page and choose "inspect." If the window is a BitB spawn, its URL will be hardcoded into the HTML.

Security fo dummies

[NFN_NLN]

"Nuh uh. Nice try slashdot, but I was told if there's a "lock icon" in the corner all my problems are solved. Even if the site I'm at is micr0soft.com, as long as I have that lock icon I'm protected."

Re: Security fo dummies

[Z00L00K]

As soon as the https everywhere was introduced fhe lock icon became diluted and worthless.

The now very powerful CSS and HTML has become too powerful, and it's not the general consumers or content providers that has driven this. It's all about ads and privacy intrusion anc they can't be considered providers of valuable content. Instead it's de-valuing content that has driven much of the recent development of css and html.

Re:

[Xenographic]

Ironically I don't think it will work well on me because I have extensions which modify the default CSS of sites to make them more readable for me.

So if you spoof a browser window that doesn't have the same things, that's pretty suspect. Of course I also don't log into sites with Google or Facebook to begin with, so there's also that.

Re:

[Inyu]

I was on a look-out for good mods of the default CSS. Any suggestions?

Re:

[KiloByte]

In general, this is outright killed by any non-default window theme. So those should be promoted instead of killed for the reason of "product indentity".

Re:

[micheas]

All my passwords are filled with a password manager. So they won't be filled if they are outside the official domain.

Wild that this is modded down.

That would be exactly the method I would tell people to use to avoid this and is the method that Troy Hunt of haveIbeenPowned.com fame recommends

Re:

[aitikin]

All my passwords are filled with a password manager. So they won't be filled if they are outside the official domain.

Wild that this is modded down.

It's not modded down. That's either someone's troll account or it's someone who has burnt enough karma that their posts start at -1. Click the number and you'll see there's no mod history.

Now to stay on topic, came here to point out that that's the method recommended by haveibeenpwned.com. Adding it to correct the typo in your post.

Even more reason not to go passwordless, ever

[devslash0]

If we delegate auth to a small number of 3rd party authentication authoritities, scammers will have grand time having to work with a limited number of different UIs and protocols.

Re:

[Junta]

I mean, if people went passwordless, then phishing wouldn't have as much to fish for. If some OTP scheme, you still have a worrying window for the phished credential to be valid, but other schemes would leave them unable to phish a credential or man-in-the-middle a challenge.

If you mean 'replace site managed password with thtird-party managed password', sure that's a fair point, but 'passwordless' would generally be immune to phishing.

Not new

[darkain]

1) this isn't even a remotely "new" attack. Fake popups have been using the "we look like a browser window" for at least a decade now.

2) USE A GODDAMN PASSWORD MANAGER PEOPLE! The manager will use browser API hooks to validate the actual URL being displayed and only fill in password information on matched URLs.

Re:

[Rayfield k.]

USE A GODDAMN PASSWORD MANAGER PEOPLE!

So these actually good and useful? When I first heard the term I thought it was some snakeoil shit and never investigated further.

Re:

[Junta]

Something like KeepPassXC is my suggestion, it's offline and not a cloud provider. The password database is encrypted by a pass phrase and makes it easier to use machine generated unique passwords per site. For multiple systems, I use a 'cloud storage' provider to replicate the file.

Re:

[bill_mcgonigle]

Bitwarden is the open source solution that works for normal people.

https://bitwarden.com/download... [bitwarden.com]

Re:

[SomePoorSchmuck]

1) this isn't even a remotely "new" attack. Fake popups have been using the "we look like a browser window" for at least a decade now.

20+ years

Back in the 1999-2001 era when webmail was still new, there was an easy script-kiddie trick where you could send someone an email message that would trigger Netscape and IE to render a fake pop-up screen that looked like your email session had randomly timed out, prompting you to sign in again. (Unstable browser sessions were very common back then, so most users were used to that happening legitimately.) When your target typed their username and password, the pop-up would go away and return the use

Password managers

[stikves]

One benefit of password managers is that the attack will not work on them.

If you have "auto-fill" on Microsoft.com, and then random-hacking-site.net tries to pull off this trick, it will not work. You'd first be puzzled why the password was not auto filled. And then you'd likely catch on to the issue.

I am still angry about the sites where copy-paste does not work, and password managers are intentionally disabled. I have more trust in a secure application, than not having a key logger on the web page (or the

Re:Password managers

[Causemos]

Someone technical might catch on but most would just be annoyed the password manager wasn't working today and figure out another method to get the password over to the window.

Re:

[sTeF]

well, the password manager should always display the domain it recovers a password for, and if that is wrong that is also an alarmbell. or even better the password manager can alarm if it doesnt have a user for the domain and warn for possible phishing.

Re:

[thegarbz]

than not having a key logger on the web page

Implying that a website or malware can only log key strokes when they come from a physical device?

I think you worry about the wrong things.

The magic of OAuth

[Rosco P. Coltrane]

Lazy people who can't be bothered to remember properly constructed passwords on a per-site basis and let "magic" Google or Facebook single-sign them on elsewhere get burnt. Eggs... basket.... Why am I not completely surprised?

When The Browser Becomes the OS

[rsmith-mac]

I'm just musing here, but as more and more stuff is done within browsers, it's becoming increasingly apparent that browsers need to be hardened against all of the old-school tricks that have been used against OSes in the past.

Fake password prompts are nothing new at the OS level, which is why secure/isolated password prompts were created (see: Windows UAC). Judging from the OS experience, the only way to break the fakes is to create a window that they cannot under any circumstances perfectly mimic or intera

Re:

[Ichijo]

Fake password prompts are nothing new at the OS level, which is why secure/isolated password prompts were created (see: Windows UAC). Judging from the OS experience, the only way to break the fakes is to create a window that they cannot under any circumstances perfectly mimic or interact with.

A web site can still defeat that by putting something for the user to click on in the same spot where the "Ok" button for the elevated prompt will go, so when the user tries to click "Cancel", they might accidentally

Re:

[swilver]

Firefox solves this by not enabling buttons on new windows right away. Another reason to not have new windows steal focus automatically.

Re:

[WaffleMonster]

Fake password prompts are nothing new at the OS level, which is why secure/isolated password prompts were created (see: Windows UAC). Judging from the OS experience, the only way to break the fakes is to create a window that they cannot under any circumstances perfectly mimic or interact with.

I've been advocating for this backed by mandatory use of secure authentication algorithms for years yet nobody seems to care. Everyone wants custom, insecure ad-hoc login forms they can make look however they want and they don't give a flying f*** about consequences.

Second Window?

[theNetImp]

I use Oauth in development daily. None of what we use is configured to open in a second window. All of it redirects user to the authenticating site and then redirects the user back to our site in the same window.

Re:

[Anubis IV]

Some workflows can open new windows, but that’s neither here nor there. The point here is that they’re making fake pages and displaying them to the user. Whether it appears to be a separate window or “Google” taking the full window doesn’t matter. Either way, they’re being phished.

Re:

[nasch]

Yes, but the "drag the window around to make sure it's really a separate window" technique doesn't work to detect the phish.

Re:

[thegarbz]

I use Oauth in development daily. None of what we use is configured to open in a second window. All of it redirects user to the authenticating site and then redirects the user back to our site in the same window.

Yes but users don't know that.

Re:

[AmiMoJo]

Sure, but a lot of sites do this and if you were on their web page would you think it was odd? TBH I probably wouldn't, that's how many sites handle Oauth.

What would tip me off is that the window borders are the wrong colour. This is an example of why there shouldn't be a way for the website to figure out what OS you are on or if your theme is set to night or day mode.

Re:

[Junta]

Yeah, this is a good argument as to why pop-up sign on provider shouldn't be done, it should just always be redirecting instead.

Fair point about limited knowledge of window decoration, though popping up the most common decoration would do the job 99% of the time.

Browsers could implement a 'secure access key', where some key sequence can *only* be caught at whole-window level and the providers could have you enter that sequence before prompting (e.g. ctrl-alt-delete in Windows).

Re:

[jonadab]

That's because you're not trying to mislead the user about what site it is they're logging into.

tl;dr

[znrt]

the "browser in a browser" title is nonsense and totally misleading, this is a regular iframe replicating the legitimate login window with a fake url.

looks like overkill? to see to this you still need to have been already misled through a malicious link or site, that's the part where users need to be savvy and beyond that security is really precarious anyway.

Re:

[DVLNSD]

Not to mention all the hustle with light/dark theming, browser specifics and possible browser customization done by user.
This might fool just some novice user vulgaris.

Re:

[Junta]

It's not misleading, that's what is being presented, imitating a pop-up browser window in a fake window.

It's a bit misleading when they say 'even web developers can't tell the difference.' A savvy person could reveal it just by trying to drag it non-overlapping screen area, a web developer could hit the hotkey for developer console to see what happens. They might not *think* to check, but if they thought to, they certainly could.

Convenience or security...

[rantrantrant]

...You can't have both. Auto-fill/sharing login credentials is just a vulnerability waiting to happen. I always disable it in my web browsers. I use a well designed, encrypted, separate password manager (I'm too paranoid to actually write them down on paper) & keep all my online accounts as separate as possible. I also have no banking info or apps on my phone. Sooner or later I WILL lose my phone & it's a monumental pain to deal with banks, email providers, etc., in that case. I prefer the slight in

No it can't.

[drinkypoo]

First, I'm not on Windows or MacOS when doing the bulk of my browsing. Their trick isn't going to work on me period because their window won't look like the rest of my Windows. Second, frankly it's always pretty obvious when a window is implemented in the browser. Not because you can't resize it, that's fucking stupid, of course you can implement a resizable and draggable window in a web browser. Not being able to drag it outside of the browser window is a real tell, but frankly if you require that then yo

Re:

[mrfaithful]

The mac examples aren't terribly convincing on a mac either. It's close, but the window decorations on a mac are more complicated than can be expressed easily in CSS. That and the "inactive" window should look like inactive windows do which in this case it doesn't. And besides, I think this guy is a few year's too late for this as we've all been strongarmed into 2-factor authentication on our accounts and get plenty of "new sign on from 'China'" emails or even a push notification on your phone.

commercial interests requiring full-screen mode

[sTeF]

if you watch youtube on full screen, then you have a problem, since a phishing site can now go fullscreen itself and can imitate the password window also leaving the original browser window. but all in all, the attack itself and the fullscreen vector are not new at all, see https://textslashplain.com/201... [textslashplain.com]

I thought his was common sense...

[rickb928]

I never let sites 'log me on' with my Google, or Facebook, or whatever credentials that I never offered them. Never.

If for no other reason than I do not want my visits to be so directly correlated with those sites. Nope, never. You think Google security is invulnerable? You don't mind letting Google explicitly share in your visits wherever you go?

I have well over 160 logins to sites and services, some probably defunct, but most used at least once a year. I manage my passwords very differently, and it does n

This can only work on vanilla-OOTB setups.

[jonadab]

The minute you customize *anything*, even something as basic as the active-titlebar color (let alone more extreme customizations, like using a tiling window manager), these fake-window-in-a-webpage instances instantly become extremely obvious.

Somewhere along the line, about fifteen years ago I think, we almost entirely stopped encouraging users to customize their setups to their own liking. WHY? This used to be one of the first thing we'd teach new computer users: this is how you change the look-and-feel

Re:

[jenningsthecat]

Somewhere along the line, about fifteen years ago I think, we almost entirely stopped encouraging users to customize their setups to their own liking. WHY?

You'd have to ask Gnome or Mozilla developers that question. They seem to have been the ones driving operating systems and browsers toward flat interfaces and extreme limits on user configurability.

Solution

[phantomfive]

This is why I don't log in to any oauth window that pops up. It wants to me to log in to Facebook? I'll open another tab, log in from there, and then go back and reload the page. If the other page can't get it figured out, then I give up. There's no way I'm typing in my Facebook password in a random sketchy window. (And tbh I don't care a lot about my Facebook password, but get your login code fixed, you random sketchy website).

Browser configuration?

[jenningsthecat]

Genuine OAuth or payment windows are in fact separate browser instances that are distinct from the primary page.

I always configure my browsers to force pages that want to open in a new window, to open in a tab instead - so I'm guessing a spoofed OAuth page would look like a real one to me. I have no way of knowing, because I never have used OAuth and never will. It's always struck me as both a security nightmare and a privacy killer.