[HN Gopher] Browser in the Browser (BITB) Attack
___________________________________________________________________
Browser in the Browser (BITB) Attack
Author : jcynix
Score : 59 points
Date : 2022-03-16 10:59 UTC (1 days ago)
(HTM) web link (mrd0x.com)
(TXT) w3m dump (mrd0x.com)
| AlexAndScripts wrote:
| I've seen this in the wild with one of those Discord free-nitro
| scams. Had a popup window to "login through steam". The actual
| technical aspect was incredibly well made, and could have easily
| convinced me in a different context.
| bityard wrote:
| Someone at Google is going to use this as proof that the URL bar
| in Chrome should be hidden from the user by default, for security
| reasons of course.
| TobTobXX wrote:
| Wouldn't help, would it? The Attacker would just change the
| template to not have a url bar (or a url bar with just the
| domain).
| [deleted]
| pcthrowaway wrote:
| Another potential mitigation for this would be for browsers to
| include a unique, user-specific, favicon-sized image in the
| address bar next to the lock. If the image doesn't match the one
| you see everywhere else, you know it's a phishing attack.
| bandie91 wrote:
| or it'd be nice if people weren't have to play hide-and-seek,
| schwarzer-peter, and spot-the-difference games when just want
| to browse the damn internet.
| olliej wrote:
| This is a benefit of password autofill systems: they aren't
| looking at the visual content of the page, just the origin
| information. If they don't match you don't get autofill which is
| a pretty good indicator of something being off. Then the hassle
| of actually getting the real password and typing it in may
| provide yet more time to realize.
| megous wrote:
| Fringe desktop environment, with fringe setup (like non-default
| window name styling, use of bitmap fonts, etc.) certainly helps
| here.
|
| The attack would have to be very well targeted, to fool the user.
|
| I only ever fool myself with my own desktop screenshots. :D
| randrews wrote:
| This attack would completely fall flat if you were using
| something that was posted here a couple days ago:
| https://hotdoglinux.com/
|
| The fake popup would be the only window that doesn't look like an
| Atari ST. :D
| metadat wrote:
| Yes, as long as HotDogL doesn't leak the OS variant via the
| User-Agent string or JavaScript.
| chagaif wrote:
| This is genius I would totally fall for this.
|
| I think there's literally no difference between the phishing and
| real pictures.
|
| Things that would make me notice this: My auto password is not
| popping up (yes I use that). I could drag the window to top or
| make it full screen and that won't work. I could check if another
| window is actually open in the taskbar
| djrogers wrote:
| >Things that would make me notice this: My auto password is not
| popping up
|
| On macOS with 1password, there are numerous occasions where
| this is the case, from SSBs and electron apps, to random other
| things that 1P just doesn't see. I have to copy/paste my
| password _just_ often enough that I 'd probably fall for this
| in-browser if I weren't paying much attention.
| godot wrote:
| I miss the old Windows 95 days of every open window having a
| visible tab on the panel next to the Start menu. But of course,
| nowadays everyone has dozens of open applications at all times,
| so it's a less feasible design.
| djrogers wrote:
| Wow - after 20 years of phishing variants, I've finally seen one
| that I'd 100% fall for. The rise of pop-up auth dialogs is
| something I've kinda just taken for granted as more and more
| platform-native apps make use of them - I wouldn't even blink if
| it happened to me in a browser window (until now).
| kybernetikos wrote:
| Maybe windows containing password entry boxes should be forced to
| overlap the browser chrome of their opener.
| jcynix wrote:
| Browsers, which seem to replace certain parts of current
| operating systems, aren't very safe. Here's one more example:
|
| "This article explores a phishing technique that simulates a
| browser window within the browser to spoof a legitimate domain."
| mooreds wrote:
| The strength of browsers (universally, near instant code
| deployment via URL) is also a weakness, unfortunately.
| woah wrote:
| What alternative do you suggest?
| jer0me wrote:
| Opening the auth window in a tab instead of a window would
| help. Including an avatar and extensions in the popup window
| and opening it on top of the chrome on the main browser
| window would help to differentiate it.
| zarq wrote:
| Even if browsers did this, you can still execute this
| attack. As long as not all of your users know what the
| expected behavior is, you can trick them with a fake UI as
| long as it looks believable.
| shakna wrote:
| The goal is not to protect 100% of your users, it is to
| reduce the number of users who are currently vulnerable.
| One is possible, one is not. If you can significantly
| reduce the number of users who will fall for an attack,
| then it is a success, even if not everyone is protected.
| simion314 wrote:
| A good solution is browser actually implementing useful stuff
| like needed widgets and useful features.
|
| For example have a <login> element , browsers will style it
| the same for all websites and prevent developer to misled the
| user.
| gruez wrote:
| >For example have a <login> element , browsers will style
| it the same for all websites and prevent developer to
| misled the user.
|
| more importantly, display to the user in such a way that no
| website can spoof it. For instance, it can dim the entire
| window (eg. like UAC on windows).
| metadat wrote:
| This doesn't solve it because theb the phishermen will
| simply start cloning the <login> element style.
| simion314 wrote:
| >This doesn't solve it because theb the phishermen will
| simply start cloning the <login> element style.
|
| You do the login in a native popup, similar on how you
| give say camera permissions.
| godot wrote:
| Reminds me of the old 90s days of Apache with .htaccess
| files Auth setup.
| metadat wrote:
| This seems like a decent solution s compared to
| alternatives presented so far in throughout discussion.
|
| For folks who browse in an edge-to-edge maximized window
| will still be vulnerable. I generally don't do this,
| especially with the insane* width of displays these days.
|
| Would mobile users still be vulnerable? Due to:
|
| 1. Tiny screen dimensions.
|
| 2. No option for "window" resizing. It's not even a
| thing.
|
| * OT: Displays today are wide to such an extreme they
| tend to be too wide for my needs and tastes. Eventually
| it's too much like staring at the bottom 1/5th of a full-
| sized 4k display, which work sent me but turns out is
| mostly good for watching Batman, The Matrix, and other
| ultra-wide theatrical film releases. Granted, at this
| task, a 34" 1440p widescreen excels marvelously.
|
| Surely you've heard the joke (or is it an adage?):
|
| _" With that 34" display, it can [finally] render a Java
| Class Name and fit it within a single line. But after the
| IDE and debugger open, you can only see the one line._
| pvg wrote:
| They are reasonably safe, given their size and complexity. They
| are certainly a lot safer than current widely used operating
| systems - those aren't designed for running unknown adversarial
| code at all - something a browser does all the time in typical
| use.
| EvanAnderson wrote:
| Browsers need the equivalent of a secure attention sequence[0].
|
| [0] https://en.wikipedia.org/wiki/Secure_attention_key
| philo23 wrote:
| This is a super common phishing attack on Steam, people send you
| links that eventually lead to a "Sign in with Steam" button,
| which opens up one of these fake popups with a perfectly styled
| login page. Almost got me the first time...
| hgomersall wrote:
| I was expecting a wasm browser inside the browser. I'm sure you
| could do something really rather sophisticated with that. No idea
| what though.
| Capira wrote:
| maybe fix dns?
| EvanAnderson wrote:
| That's coming. It will be used to deliver un-blockable ads,
| though.
| mikotodomo wrote:
| This appears to be unfixable.
| ElectronShak wrote:
| Very interesting, and certainly hard to catch, even for technical
| users. Maybe it is things like this where google is justified for
| "forcing" 2FA on us. Lowers, although minimally, the
| effectiveness of auth credential attacks.
| jcynix wrote:
| You cannot move the fake window out of its parent, but you can
| do this with a proper popup window. So it can be "catched" but
| this is (at least) inconvenient and easy to forget.
|
| As is 2FA, e.g. when I'm using a tablet in bed and the
| smartphone for the 2nd factor is on the table in the living
| room ... I'd like to see 2FA devices which could be easily
| duplicated, just as physical keys can.
| Wojakmeme wrote:
| Reminds me of
| https://web.archive.org/web/20130708023749/http://jack-sheph...
| pzmarzly wrote:
| I fell for that attack 2 years ago, when I had a separate Windows
| installation just for gaming. It was rarely used, so I didn't
| have a reason to customize it, and I only needed 2 or 3 password
| there, so I was too lazy to install my password manager (plus I
| feared it can get compromised in case of malicious mods, RCE bugs
| in games etc.). I also wasn't surprised that I was logged out, as
| I didn't remember where I was logged in and where I did not. I'm
| glad that Steam has working forms to lock an account, and that
| the attacker wasn't fast enough in changing email address.
|
| I wish the browsers would just open everything in new tabs.
| ShowalkKama wrote:
| Fear not, among the millions of flags firefox exposes in
| about:config there is browser.link.open_newwindow.restriction
| that does exactly what you are looking for! Make sure to set it
| to 0.
| a257 wrote:
| These sorts of 'exploits' take advantage of the site-agnostic
| nature of passwords. Using a password manager may be able to
| mitigate this.
|
| For this particular attack, a fun 'solution' may be to
| incorporate some sort of AI-based detection system to warn the
| user if anything resembling a browser is shown on the site.
| pcthrowaway wrote:
| A password manager would detect that the site doesn't match, so
| unless you copy it out of the vault directly it's likely to
| keep you secure.
___________________________________________________________________
(page generated 2022-03-17 23:00 UTC)