Sign In

Communications of the ACM

ACM TechNews

Behold, a Password Phishing Site that Can Trick Even Savvy Users

View as: Print Mobile App Share:

The BitB technique is simple and effective enough that it’s surprising it isn’t better known.

Credit: Getty Images

A researcher known as "mr.d0x" has developed a proof-of-concept "browser in the browser" (BitB) exploit that could phish passwords using a malicious site that does not contain suspicious domains or substitute letters, both telltale signs of phishing sites.

The technique uses a fake browser window inside a real browser window to spoof an OAuth page.

The OAuth protocol is used by many sites to allow visitors to log in using existing Google, Facebook, Apple, or other accounts.

BitB relies on a series of HTML and cascading style sheets (CSS) tricks to spoof the second browser window that normally opens to connect to the site facilitating login or payment.

The spoofed window appears identical to the genuine window and can display a valid address with a padlock and HTTPS prefix.

However, the BitB windows cannot be resized, fully maximized, or moved outside the primary window.

From Ars Technica
View Full Article


Abstracts Copyright © 2022 SmithBucklin, Washington, DC, USA


No entries found