A researcher known as "mr.d0x" has developed a proof-of-concept "browser in the browser" (BitB) exploit that could phish passwords using a malicious site that does not contain suspicious domains or substitute letters, both telltale signs of phishing sites.
The technique uses a fake browser window inside a real browser window to spoof an OAuth page.
The OAuth protocol is used by many sites to allow visitors to log in using existing Google, Facebook, Apple, or other accounts.
BitB relies on a series of HTML and cascading style sheets (CSS) tricks to spoof the second browser window that normally opens to connect to the site facilitating login or payment.
The spoofed window appears identical to the genuine window and can display a valid address with a padlock and HTTPS prefix.
However, the BitB windows cannot be resized, fully maximized, or moved outside the primary window.
From Ars Technica
View Full Article
Abstracts Copyright © 2022 SmithBucklin, Washington, DC, USA