Browser In The Browser (BITB) Attack

Talk about internet security, computer security, personal security, your social security number...
Post Reply
morganism
Senior Member
Posts: 134
Joined: Tue Nov 26, 2013 9:44 pm

Browser In The Browser (BITB) Attack

Post by morganism »

This article explores a phishing technique that simulates a browser window within the browser to spoof a legitimate domain.

https://mrd0x.com/browser-in-the-browse ... ng-attack/

For security professionals, the URL is usually the most trusted aspect of a domain. Yes there’s attacks like IDN Homograph and DNS Hijacking that may degrade the reliability of URLs but not to an extent that makes URLs unreliable.

All of this eventually lead me to think, is it possible to make the “Check the URL” advice less reliable? After a week of brainstorming I decided that the answer is yes.
(...)
Hovering over a URL to determine if it’s legitimate is not very effective when JavaScript is permitted.

With this technique we are now able to up our phishing game. The target user would still need to land on your website for the pop-up window to be displayed. But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so)."
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Browser In The Browser (BITB) Attack

Post by therube »

Quite often when we authenticate to a website via Google, Microsoft, Apple etc.
To me, that would seem to be the basic issue, not that a displayed URL could be spoofed.

(Seems to me, that Mozilla at least, has denied bugs to not allow that to happen. Possibly for good enough reasons.)

And then there is this part, "The target user would still need to land on your website".

So all in all, I'd think not as "bad" as it might seem.
And that said, I'm sure it could easily catch some.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 SeaMonkey/2.53.12
Post Reply