top of page
GenerativeAI_728x90 (4).png


  • Matthew Spencer - Tech Journalist

A browser in the Browser attack is the perfect tool for phishing attacks.

Tech News Hub prioritises users' privacy and security measures. Browser-in-the-browser attack (BitB) is not a new technique of phishing attacks but is being used quite often nowadays. If you're someone who would be intrigued by something like this, please refrain from collecting other people's data. Tricking people into giving out their sensitive credentials such as passwords is against the law and unethical.

InfoSec Institute is a security education provider, research and training organisation. A researcher from InfoSec, known as Mr.d0x, described the browser in the browse attack will a lot of details. Even though the components can be dangerous in the hands of threat actors, for educational purposes, it is necessary to understand how things like these work and prevention methods.

Before going any further, let us understand what BitB is. We all internet users experienced popups while logging in with browsers. The popups work as a mechanism that provides logging security and a separate field to fill in. BitB can be sued to steal login credentials by simulating this smaller browser window.

Authentication services such as Microsoft, Google, and similar ask for username and password in a popup window. We've seen it now and then. It may look like having a "Sign in with Google" button.

Threat actors use the exact mechanism to push in scrips, which will trigger the same kind of popup, but the inputs will be visible to them. Once they grab the inputs, they can be used to hijack or steal data and sensitive information.

A similar term is a man-in-the-browser attack, which uses the same approach as a man-in-the-middle (MitM) attack. Intercepting Trojan Horse and manipulating the value of the main application, in our case, it's the browser to bring down its security mechanism.

Browers today have excellent security features and mechanisms, including Content Security Policy setting. Another great addition is the same-origin policy security model for protecting data and displaying safe content. Developers are constantly adding ways to prevent this kind of attack. Still, once a script is executed, it may give attackers sensitive information.

Another method is clickjacking and user-interface readdressing. It can easily alter browser appearance. Attackers use similar codes used on popular services to duplicate and manipulate users that it is the same thing.

Replicating an actual service window with a phishing one is pretty simple. Copying the codes and addressing them is enough. Bad news, everyone can do it. The good news is they are blocked by default in our browser. The operating system, antivirus program, and user's habits are enough to keep those threat actors at their doorstep.

The fabricated browser windows shouldn't have the padlock icon on the URL bar, but the advanced methods of BitB include it. The signs look quite obvious if users are careful while browsing the web. It is easy to replicate the browser windows, but it also is easy for trained eyes to find the difference.

Security researchers find the BitB mechanism concerning as it can work alongside advertisement mechanisms and blow thorough the secure ecosystem. Last year, Analytics indicated 70 per cent of top publisher websites failed to sandbox iframes. Iframes are used to serve ads.

To avoid being a victim to it, Mr.d0x said to ignore logging in from outside websites. Authentic websites use legitimate login mechanisms where third party websites asking for credentials to log in to another service should be considered multiple times.

Even though the phishing method is dangerous and easily deceive people, it has limitations. For software's, specialising in threat methods, they can easily detect the approach. Password managers wouldn't need to autofill credentials into a BitB window. The information shared here is solely to teach our readers about how BitB works in real life, its back-end development process and ways to stay safe from it. Please refrain from using the method and trying to phish people as the outcome can be legal consequences.


bottom of page