[HN Gopher] Browser in the Browser (BITB) Attack ___________________________________________________________________ Browser in the Browser (BITB) Attack Author : jcynix Score : 59 points Date : 2022-03-16 10:59 UTC (1 days ago) (HTM) web link (mrd0x.com) (TXT) w3m dump (mrd0x.com) | AlexAndScripts wrote: | I've seen this in the wild with one of those Discord free-nitro | scams. Had a popup window to "login through steam". The actual | technical aspect was incredibly well made, and could have easily | convinced me in a different context. | bityard wrote: | Someone at Google is going to use this as proof that the URL bar | in Chrome should be hidden from the user by default, for security | reasons of course. | TobTobXX wrote: | Wouldn't help, would it? The Attacker would just change the | template to not have a url bar (or a url bar with just the | domain). | [deleted] | pcthrowaway wrote: | Another potential mitigation for this would be for browsers to | include a unique, user-specific, favicon-sized image in the | address bar next to the lock. If the image doesn't match the one | you see everywhere else, you know it's a phishing attack. | bandie91 wrote: | or it'd be nice if people weren't have to play hide-and-seek, | schwarzer-peter, and spot-the-difference games when just want | to browse the damn internet. | olliej wrote: | This is a benefit of password autofill systems: they aren't | looking at the visual content of the page, just the origin | information. If they don't match you don't get autofill which is | a pretty good indicator of something being off. Then the hassle | of actually getting the real password and typing it in may | provide yet more time to realize. | megous wrote: | Fringe desktop environment, with fringe setup (like non-default | window name styling, use of bitmap fonts, etc.) certainly helps | here. | | The attack would have to be very well targeted, to fool the user. | | I only ever fool myself with my own desktop screenshots. :D | randrews wrote: | This attack would completely fall flat if you were using | something that was posted here a couple days ago: | https://hotdoglinux.com/ | | The fake popup would be the only window that doesn't look like an | Atari ST. :D | metadat wrote: | Yes, as long as HotDogL doesn't leak the OS variant via the | User-Agent string or JavaScript. | chagaif wrote: | This is genius I would totally fall for this. | | I think there's literally no difference between the phishing and | real pictures. | | Things that would make me notice this: My auto password is not | popping up (yes I use that). I could drag the window to top or | make it full screen and that won't work. I could check if another | window is actually open in the taskbar | djrogers wrote: | >Things that would make me notice this: My auto password is not | popping up | | On macOS with 1password, there are numerous occasions where | this is the case, from SSBs and electron apps, to random other | things that 1P just doesn't see. I have to copy/paste my | password _just_ often enough that I 'd probably fall for this | in-browser if I weren't paying much attention. | godot wrote: | I miss the old Windows 95 days of every open window having a | visible tab on the panel next to the Start menu. But of course, | nowadays everyone has dozens of open applications at all times, | so it's a less feasible design. | djrogers wrote: | Wow - after 20 years of phishing variants, I've finally seen one | that I'd 100% fall for. The rise of pop-up auth dialogs is | something I've kinda just taken for granted as more and more | platform-native apps make use of them - I wouldn't even blink if | it happened to me in a browser window (until now). | kybernetikos wrote: | Maybe windows containing password entry boxes should be forced to | overlap the browser chrome of their opener. | jcynix wrote: | Browsers, which seem to replace certain parts of current | operating systems, aren't very safe. Here's one more example: | | "This article explores a phishing technique that simulates a | browser window within the browser to spoof a legitimate domain." | mooreds wrote: | The strength of browsers (universally, near instant code | deployment via URL) is also a weakness, unfortunately. | woah wrote: | What alternative do you suggest? | jer0me wrote: | Opening the auth window in a tab instead of a window would | help. Including an avatar and extensions in the popup window | and opening it on top of the chrome on the main browser | window would help to differentiate it. | zarq wrote: | Even if browsers did this, you can still execute this | attack. As long as not all of your users know what the | expected behavior is, you can trick them with a fake UI as | long as it looks believable. | shakna wrote: | The goal is not to protect 100% of your users, it is to | reduce the number of users who are currently vulnerable. | One is possible, one is not. If you can significantly | reduce the number of users who will fall for an attack, | then it is a success, even if not everyone is protected. | simion314 wrote: | A good solution is browser actually implementing useful stuff | like needed widgets and useful features. | | For example have a <login> element , browsers will style it | the same for all websites and prevent developer to misled the | user. | gruez wrote: | >For example have a <login> element , browsers will style | it the same for all websites and prevent developer to | misled the user. | | more importantly, display to the user in such a way that no | website can spoof it. For instance, it can dim the entire | window (eg. like UAC on windows). | metadat wrote: | This doesn't solve it because theb the phishermen will | simply start cloning the <login> element style. | simion314 wrote: | >This doesn't solve it because theb the phishermen will | simply start cloning the <login> element style. | | You do the login in a native popup, similar on how you | give say camera permissions. | godot wrote: | Reminds me of the old 90s days of Apache with .htaccess | files Auth setup. | metadat wrote: | This seems like a decent solution s compared to | alternatives presented so far in throughout discussion. | | For folks who browse in an edge-to-edge maximized window | will still be vulnerable. I generally don't do this, | especially with the insane* width of displays these days. | | Would mobile users still be vulnerable? Due to: | | 1. Tiny screen dimensions. | | 2. No option for "window" resizing. It's not even a | thing. | | * OT: Displays today are wide to such an extreme they | tend to be too wide for my needs and tastes. Eventually | it's too much like staring at the bottom 1/5th of a full- | sized 4k display, which work sent me but turns out is | mostly good for watching Batman, The Matrix, and other | ultra-wide theatrical film releases. Granted, at this | task, a 34" 1440p widescreen excels marvelously. | | Surely you've heard the joke (or is it an adage?): | | _" With that 34" display, it can [finally] render a Java | Class Name and fit it within a single line. But after the | IDE and debugger open, you can only see the one line._ | pvg wrote: | They are reasonably safe, given their size and complexity. They | are certainly a lot safer than current widely used operating | systems - those aren't designed for running unknown adversarial | code at all - something a browser does all the time in typical | use. | EvanAnderson wrote: | Browsers need the equivalent of a secure attention sequence[0]. | | [0] https://en.wikipedia.org/wiki/Secure_attention_key | philo23 wrote: | This is a super common phishing attack on Steam, people send you | links that eventually lead to a "Sign in with Steam" button, | which opens up one of these fake popups with a perfectly styled | login page. Almost got me the first time... | hgomersall wrote: | I was expecting a wasm browser inside the browser. I'm sure you | could do something really rather sophisticated with that. No idea | what though. | Capira wrote: | maybe fix dns? | EvanAnderson wrote: | That's coming. It will be used to deliver un-blockable ads, | though. | mikotodomo wrote: | This appears to be unfixable. | ElectronShak wrote: | Very interesting, and certainly hard to catch, even for technical | users. Maybe it is things like this where google is justified for | "forcing" 2FA on us. Lowers, although minimally, the | effectiveness of auth credential attacks. | jcynix wrote: | You cannot move the fake window out of its parent, but you can | do this with a proper popup window. So it can be "catched" but | this is (at least) inconvenient and easy to forget. | | As is 2FA, e.g. when I'm using a tablet in bed and the | smartphone for the 2nd factor is on the table in the living | room ... I'd like to see 2FA devices which could be easily | duplicated, just as physical keys can. | Wojakmeme wrote: | Reminds me of | https://web.archive.org/web/20130708023749/http://jack-sheph... | pzmarzly wrote: | I fell for that attack 2 years ago, when I had a separate Windows | installation just for gaming. It was rarely used, so I didn't | have a reason to customize it, and I only needed 2 or 3 password | there, so I was too lazy to install my password manager (plus I | feared it can get compromised in case of malicious mods, RCE bugs | in games etc.). I also wasn't surprised that I was logged out, as | I didn't remember where I was logged in and where I did not. I'm | glad that Steam has working forms to lock an account, and that | the attacker wasn't fast enough in changing email address. | | I wish the browsers would just open everything in new tabs. | ShowalkKama wrote: | Fear not, among the millions of flags firefox exposes in | about:config there is browser.link.open_newwindow.restriction | that does exactly what you are looking for! Make sure to set it | to 0. | a257 wrote: | These sorts of 'exploits' take advantage of the site-agnostic | nature of passwords. Using a password manager may be able to | mitigate this. | | For this particular attack, a fun 'solution' may be to | incorporate some sort of AI-based detection system to warn the | user if anything resembling a browser is shown on the site. | pcthrowaway wrote: | A password manager would detect that the site doesn't match, so | unless you copy it out of the vault directly it's likely to | keep you secure. ___________________________________________________________________ (page generated 2022-03-17 23:00 UTC)