Most websites these days offer multiple options to create an account. You can either register with the website, or use the single sign-on (SSO) mechanism to log in to the website using your existing accounts with reputable companies like Google, Facebook, or Apple. A cybersecurity researcher has capitalized on this and devised a novel mechanism to steal your login credentials by creating a virtually undetectable fake SSO login window. “The growing popularity of SSO provides a lot of benefits to [people],” Scott Higgins, Director of Engineering at Dispersive Holdings, Inc told Lifewire over email. “However, clever hackers are now taking advantage of this route in an ingenious way.”
Fake Login
Traditionally, attackers have employed tactics like homograph attacks that replace some of the letters in the original URL with similar-looking characters to create new, hard-to-spot malicious URLs and fake login pages. However, this strategy often falls apart if people carefully scrutinize the URL. The cybersecurity industry has long advised people to check the URL bar to ensure it lists the right address, and has a green padlock next to it, which signals that the webpage is secure. “All of this eventually led me to think, is it possible to make the ‘Check the URL’ advice less reliable? After a week of brainstorming I decided that the answer is yes,” wrote the anonymous researcher who uses the pseudonym, mr.d0x. The attack mr.d0x created, named browser-in-the-browser (BitB), uses the three essential building blocks of the web—HTML, cascading style sheets (CSS), and JavaScript—to craft a fake SSO pop-up window that’s essentially indistinguishable from the real thing. “The fake URL bar can contain anything it wants, even seemingly valid locations. Furthermore, JavaScript modifications make it so that hovering on the link, or login button would pop up a seemingly valid URL destination as well,” added Higgins after examining mr. d0x’s mechanism. To demonstrate BitB, mr.d0x created a fake version of the online graphic design platform, Canva. When someone clicks to log in to the fake site using the SSO option, the website pops up the BitB crafted login window with the legitimate address of the spoofed SSO provider, such as Google, to trick the visitor into entering their login credentials, which are then sent to the attackers. The technique has impressed several web developers. “Ooh that’s nasty: Browser In The Browser (BITB) Attack, a new phishing technique that allows stealing credentials that even a web professional can’t detect,” François Zaninotto, CEO of web and mobile development company Marmelab, wrote on Twitter.
Look Where You’re Going
While BitB is more convincing than run-of-the-mill fake login windows, Higgins shared a few tips that people can use to protect themselves. For starters, despite the BitB SSO pop-up window looking like a legitimate pop-up, it really isn’t. Therefore, if you grab the address bar of this pop-up and try to drag it, it won’t move beyond the edge of the main website’s window, unlike a real pop-up window which is completely independent and can be moved to any part of the desktop. Higgins shared that testing the legitimacy of the SSO window using this method wouldn’t work on a mobile device. “This is where [multi-factor authentication] or use of passwordless authentication options can really be helpful. Even if you did fall prey to the BitB attack, [the scammers] wouldn’t necessarily be able to [use your stolen credentials] without the other portions of an MFA login routine,” suggested Higgins. Also, since it is a fake login window, the password manager (if you’re using one) won’t automatically fill in the credentials, again giving you pause to spot something amiss. It’s also important to remember that while the BitB SSO pop-up is hard to spot, it must still be launched from a malicious site. To see a pop-up like this, you would already have had to be on a fake website. This is why, coming full circle, Adrien Gendre, Chief Tech and Product Officer at Vade Secure, suggests people should look at URLs every time they click a link. “The same way we check the number on the door to make sure we end up in the right hotel room, people should always have a quick look at the URLs when browsing a website. The internet is not our home. It is a public space. We must check what we are visiting,” stressed Gendre.