Browser-In-Browser Could Steal Passwords
A security researcher has warned that a fake browser could be used to more effectively scam users into handing over login details. Password managers and similar tools may be one way to combat the tactic.
The warning comes from a security researcher who chooses to use the pseudonym mrd0x. They dubbed the approach a "browser-in-the-browser" attack. (Source: mrd0x.com)
The tactic would take advantage of websites that have registration and accounts but let users sign in with a third party account such as Google or Facebook. This works by displaying a pop-up window that's hosted by the third party rather than being part of the website itself. (Source: thehackernews.com)
Once the user has correctly inserted their details in the box, the third-party verifies the login and sends confirmation of the user's identity back to the website.
Bogus Window Is Bad News
According to mrdOx, the problem comes if the website itself is shady. Using JavaScript, the site could build the "pop-up" into the web page and have it appear when the user clicks a button to trigger the third-party login.
The supposed pop-up would actually be part of the rogue site and could capture the log-in details for the third party. To make things worse, the pop-up window would have a fake URL to make it look more credible.
With such an approach, the biggest challenge would fall back to being the need to get the victim on the bogus webpage in the first place, as well as making it look credible.
Password Manager May Not Be Fooled
The simplest way to avoid the problem would be to avoid using third-party sign-in altogether and instead use a unique password for every site. That's certainly more inconvenient but has the benefit that it makes it harder for tech giants to track online activity.
Another "workaround" of sorts is to use password manager tools. These should refuse to auto-fill the username and password boxes because they recognize the supposed log-in box is not actually hosted on the third-party site.
What's Your Opinion?
Do you use third-party logins? Does this warning make you less likely to use them? Do you think you're safe enough spotting scam websites in the first place?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Do you use third-party logins? sometimes
Does this warning make you less likely to use them? yes
Do you think you're safe enough spotting scam websites in the first place? probably
I never use Google sign in
I already loathe how much information Google & Microsoft have on me. I refuse to use a site that requires a Google or Microsoft sign-on. When given the option, I always create a new user and password for each site and rarely reuse the same password. Yes it is FAR more difficult to keep track of all the different logins but it is likely much less difficult to do this than to repair a stolen identity.