Some of Our Sources
- Engadget
- Technology Review
- Joshua Blankenship
- Spoon Graphics
- Smashing Apps
- You The Designer
- CSS Tricks
- Web Resource Source
- Codrops
- The Verge
Help Webnuz
Referal links:
March 22, 2022 01:25 am
Original Link: https://it.slashdot.org/story/22/03/21/236242/browser-in-the-browser-attack-can-trick-even-savvy-users?utm_source=rss1.0mainlinkanon&utm_medium=feed
Browser-in-the-Browser Attack Can Trick Even Savvy Users
apoc.famine shares a report from Ars Technica: Hundreds of thousands of sites use the OAuth protocol to let visitors login using their existing accounts with companies like Google, Facebook, or Apple. Instead of having to create an account on the new site, visitors can use an account that they already have -- and the magic of OAuth does the rest. The Browser-in-the-Browser (BitB) technique capitalizes on this scheme. Instead of opening a genuine second browser window that's connected to the site facilitating the login or payment, BitB uses a series of HTML and cascading style sheets (CSS) tricks to convincingly spoof the second window. The URL that appears there can show a valid address, complete with a padlock and HTTPS prefix. The layout and behavior of the window appear identical to the real thing. While the method is convincing, it has a few weaknesses that should give savvy visitors a foolproof way to detect that something is amiss. Genuine OAuth or payment windows are in fact separate browser instances that are distinct from the primary page. That means a user can resize them and move them anywhere on the monitor, including outside the primary window. BitB windows, by contrast, aren't a separate browser instance at all. Instead, they're images rendered by custom HTML and CSS and contained in the primary window. That means the fake pages can't be resized, fully maximized or dragged outside the primary window. All users should protect their accounts with two-factor authentication. One other thing more experienced users can do is right click on the popup page and choose "inspect." If the window is a BitB spawn, its URL will be hardcoded into the HTML.Read more of this story at Slashdot.
Original Link: https://it.slashdot.org/story/22/03/21/236242/browser-in-the-browser-attack-can-trick-even-savvy-users?utm_source=rss1.0mainlinkanon&utm_medium=feed
Share this article:
Tweet
View Full Article
Slashdot
Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..More About this Source Visit Slashdot