back to article This browser-in-browser attack is perfect for phishing

An interesting way of tricking people out of their passwords has left us wondering if there's a need to rethink how much we trust our web browsers to protect us and to accelerate efforts to close web security gaps. Earlier this week, an infosec researcher known as mr.d0x described a browser-in-the-browser (BitB) attack. It's a …

  1. b0llchit Silver badge
    Facepalm

    Skins and themes

    Emulating a browser window in a browser suggests that you need to know how the window manager draws the ornaments.

    Emulating my xfce look and feel - customized with a local theme - may be rather safe. But anyway, I guess the technique only works on people not accustomed to locking down the browser and looking at the details before accepting reality.

    No surprise then who will get duped. Still, a neat trick. Never expect safety where none is provided. Maybe this can lead to disabling running code from any and all source (yes, I know, a very optimistic thought).

    1. pip25
      WTF?

      Re: Skins and themes

      "Emulating my xfce look and feel - customized with a local theme - may be rather safe."

      How would the malicious code gather information on the current theme settings of the browser/OS? Is there an API for that I'm not aware of? That's what really puzzles me about this attack.

      1. b0llchit Silver badge
        Boffin

        Re: Skins and themes

        Windows and Mac boxes look mostly the same and have little user-induced variation. You can often detect all the necessary details of the OS and browser through the javascript web api window.navigator object.

        1. Richard 12 Silver badge

          Re: Skins and themes

          Exactly.

          The vast majority of people use the default light or dark Windows/macOS etc theme.

          An attack doesn't need to fool everybody. If it was simply Windows/Android Chrome or Apple/Safari default it'd probably fool more than half the world.

          1. John Brown (no body) Silver badge

            Re: Skins and themes

            And to cap it all off, MS have made it so much more difficult to customise the look of your desktop and apps anyway, making this an easier attack than it might otherwise be.

            1. Lorribot

              Re: Skins and themes

              As most web browsing these days is done from Android rather than Windows or Mac and Chrome is on 90% of those machines we should be all safe as Google will have our backs and stop all this nonsense.

              No wait they make all their money form adverts, and it all this rich functionality is down to them. bugger we are all screwed.

      2. Anonymous Coward
        Anonymous Coward

        Re: Skins and themes

        So theming a browser (i.e. Firefox) in some obscure colour scheme might act as a means of identifying this? Assuming the hack will likely default to the standard Firefox theme.

        1. Zippy´s Sausage Factory
          Meh

          Re: Skins and themes

          I think these days browsers do actually allow you to reference the colour scheme using "magic numbers" - like Windows has constants such as &H8000000F, which refers to "button highlight" and will resolve to whatever colour you've set the highlight to. I suspect this is because a lot of them just pass the values through without checking them.

          I guess we're going to need another browser option to ignore those constants somehow.

  2. Kevin McMurtrie Silver badge

    Android apps have been doing this for years. It's usually not from an intentionally malicious app, but ones indirectly hooked up to a malicious ad server. They simulate an app transition then a login window, usually by playing a full-screen video.

    I will NOT use any ad-driven Android apps. There's too much malware in them. It has to be free or paid.

  3. A Non e-mouse Silver badge

    Password Manager

    This is where a password manager can really help. 1Password will only suggest my Microsoft password when it sees the Microsoft login URL in the window address. If I click on the 1Password button and it suggests nothing, I can be sure something is wrong.

    1. Tessier-Ashpool

      Re: Password Manager

      I don’t remember the last time I actually typed a password into a website. Safari/Keychain normally handles that for me. I presume saved passwords in Chrome would do the same?

      1. Disgusted Of Tunbridge Wells Silver badge

        Re: Password Manager

        Yes Chrome works the same.

    2. nijam Silver badge

      Re: Password Manager

      Welcome to the NatWest login page, which is carefully and deliberately designed to prevent the use of password managers.

      But then, who'd want to try breaking into a NatWest account?

      1. Anonymous Coward
        Anonymous Coward

        Re: Who?

        I guess anyone who isn't using the App?

        I have to admit that I rarely log into my banking account with anything other than the App, My only reason is to download statements.

        But... you never can tell.

        In any case, I never log in to anything using MS, Google or Facebook accounts. As I don't have any of them, there is little point in even trying.

  4. Anonymous Coward
    Anonymous Coward

    You're skipping over another obvious issue..

    The fact that Microsoft now forces people to log in with their email address means that you've handed anyone who wants to breach a company already 50% of the login parameters. No wonder that they quickly had to cook up the Microsoft Authenticator which, of course, would have to be proprietary again instead of using the Open Standard RFC 6238 like the rest of the planet because, hey, they're Microsoft and they got away with changing Kerberos into something else too.

    1. Anonymous Coward
      Anonymous Coward

      Re: You're skipping over another obvious issue..

      Huh, last time I used MS Authenticator, it handled HOTP/TOTP just fine. Mind you, that was on WinPhone 10, so it's been a while.

      1. Anonymous Coward
        Anonymous Coward

        Re: You're skipping over another obvious issue..

        Oh, the "Expand" part works well, but you try to use TOTP for Microsoft functions.

  5. Anonymous Coward
    Anonymous Coward

    Everything is Unique, Nothing is Unique

    There's an aphorism that says if you can make it, somebody else can fake it.

    Fakes will always be identifiable, given the right knowledge, tools and impetus to actually investigate. The third component is often the most vital: the suspicion of nefarious activity - and the absence of this is where most fakes succeed. You accept a banknote in change from a supermarket purchase and probably put it in your purse/wallet/pocket without looking at it - you might subconsciously check it's the right colour for the denomination but not notice it's a £5 from the Bank of Egnland. Most of us will, at some time, have started to pay for something, only to notice we're handing over a foreign coin (the £1 and 1€ coins are easily mixed up, for example).

    So it is online. A healthy dose of cynicism regarding special offers is vital; if it looks too good to be true, it more often is. Yes, popup and ad blockers are useful, as are AV tools, but they should be treated as the backstop, and only partly effective ones at that.

    Since the C-19 lockdown started, and it was clear it was going to be more than a few weeks, I've been introducing computers and tablets to a number of elderly people in my area. Some have a suitable device in their home (provided by a relative); for most others, I'm handing over their first contact with such tech. Most already have a healthy dose of suspicion with anything online so it's a balance between giving them the courage (and skills) to try something new and being cautious. They don't know what to expect, so won't recognise when something is different and should be avoided. The general rule I give is that if you didn't ask for something, be suspicious and, if in doubt, switch it off and call. I keep them clear of banking details (a local charity provides a shopping service for them. when/if they can't get out to the local shops) and usually set up a new email address. Their online profile remains low and I get very few calls - but they're now able to email and have video calls with friends and distance family members, even get onto Facebook to join in with local groups (with a warning not to be tempted by any adverts that they'll see - again, if there's something they might like, call and let me, or one of my team of volunteers, take a look first).

    1. Roland6 Silver badge

      Re: Everything is Unique, Nothing is Unique

      >I've been introducing computers and tablets to a number of elderly people in my area

      An excellent journey into UI design - you thought you knew about UI, but forget you've become used to tech, whereas the 80+ were retiring around 2000, so have had little need to engage with smartphones, the Internet etc.

      I suspect many of those around 60 today will have similar problems with tech in 20+ years' time.

  6. Wade Burchette

    Greed

    << Asked how it might be done, he replied, "The simple answer is: you would create an ad creative that has a JS payload. When the ad loads on an end user device, and detects that the iframe it's loading inside isn't sandboxed, it would trigger a pop-out window that looks like a login page." >>

    So, this and other malvertising attacks can be stopped by BANNING JAVASCRIPT IN ADS! But that will never happen because of greed. Advertisers view their wallets as more important than my security. Whenever an advertiser tries to shame me into turning off my ad-blocker, I always tell them my security is more important than your profit. My ad-blocker allows all ads without javascript, which is now 0.0000000000% of the ads out there. Malvertising can die immediately if advertisers went back to the successful ads of the early internet, which were static and had no javascript.

    1. Joe W Silver badge

      Re: Greed

      This. So much.

      Ad flingers can go and just fsck themselves. Static ads are OK, heck, I might even find something interesting - but then show stuff related to the website and not to some brain dead "profile" (we all know those examples, and there was a sftw recently). Meh. I'll have a drink.

  7. Henry Wertz 1 Gold badge

    Seen 'em

    Seen 'em. Go to some greasy porn or pirate site (not that I've ever done that... oh no... of course not) in Ubuntu and be amazed at the appearance of "Windows" dialog boxes on screen, swearing up and down you must click "Yes" to continue, click to install flash (on pages with zero flash), update your video codecs, update chrome (even when I'm in Firefox), update my virus scanner, and so on.

    Of course, this specific method of doing this does appear to be novel.

  8. This post has been deleted by its author

  9. Grunchy Bronze badge

    I got duped

    In my case it was the YouTube scams, the perpetrators were creating videos on hacked accounts including SpaceX and Steve Wozniak and several others. It never occurred to me that Wozniak, SpaceX, and several more would all be simultaneously hacked repeatedly and sustainably on YouTube for weeks and months on end.

    My 0.3 btc wallet was drained, the one single video I ultimately fell for collected over 8 btc before they harvested it.

    Theoretically the transactions are 100% fully traceable due to blockchain but practically not. What I learned is that not only is cryptocurrency a complete scam from day one, that scam has endured to this very day, spawning endless new scams. I intend never to get involved again and the only stories I read about crypto are how it’s only used by crooks anyway and the innumerable hacking attacks and confidence tricks surrounding it. The destiny of crypto is that every ‘coin’ is going to be stolen by criminals and they will be the only ones left ‘using’ it (notwithstanding that there is zero practical way to use crypto, it’s just something that people scam back and forth off one another.) For instance, you cannot buy a slurpee with crypto at any 7-11.

  10. colin79666
    Facepalm

    Familiar

    I thought this seemed familiar… Back in late 2003/2004 there was an earlier version of this whereby an IE6 window was launched with no window chrome and then a fake address bar was put in. In those days browsers let developers hide the address bar with JavaScript.

    1. Bachelorette

      Re: Familiar

      Even Firefox was guilty of that in the early days.

      IIRC, Firefox even didn't have a frame surrounding the website contents, whereas at least IE6 had the website contents surrounded by a standard reversed 3D border, so that the website couldn't fake a browser toolbar control.

  11. Anonymous Coward
    Anonymous Coward

    What are these advert things of which he speaks?

    What are these advert things of which he speaks?

    1. Chris 15
      FAIL

      Re: What are these advert things of which he speaks?

      Indeed. This is the reason that ads and any third party/untrusted javascript will basically forever remain blocked here. You want to have your website visitors view ads on your page? Fine, then host the ad images yourself and take responsibility.

      Third party adslingers are the scourge of the internet.

  12. Bachelorette

    The problem isn't how easy it is to fake browser windows, but that websites shouldn't be using popup windows to get users to log in, in the first place. This discussion had been going on for almost 15 years and the main browser vendor (Google) hasn't bothered to come up with a decent solution despite probably having the most logged in websites in the world.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022