It's now easier than ever for hackers to abuse Google Chrome

By Sead Fadilpašić
last updated

Browser-in-browser attack successfully fakes SSO pages on Google Chrome

Google Chrome icon on Android device
(Image credit: TechRadar)

Single Sign-On (SSO), an identity verification method that helps people sign into various online accounts without needing a password, can be spoofed, enabling threat actors to steal login credentials or multi-factor authentication (MFA) key.

A cybersecurity researcher going by the name mr.d0x published a template on GitHub, which uses the Browser in the Browser (BitB) attack method to create a fake browser window within a real one. The template is available for Chrome for both Windows and Mac, for both light and dark themes. 

Similar methods have been around in the past, with the main difference now being a widely available template which threat actors can now simply download, edit to their liking, and display using an iframe.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window (opens in new tab) <<

Browser-ception

An SSO prompt usually comes in the form of a pop-up, where people can log into accounts simply by choosing one of the pre-existing accounts they have, either with Google, Facebook, Twitter, or similar. 

Speaking to BleepingComputer, mr.d0x said the templates were “simple to use”, and quite convincing. Attackers can also add the HTML for the login form directly into the template, he added, further stating how, in that case, the attackers would need to properly align the form with CSS and HTML. 

Some people already tested it out, saying they successfully tweaked it to steal MFA keys. 

Read more

> NameCheap named top phishing site hosting pick by NCSC (opens in new tab)

> Monzo customers bombarded with phishing attacks (opens in new tab)

> Phishing attacks hit more businesses than ever last year (opens in new tab)

Phishing is one of the most common cyberattack types today. They are essentially a scam attempt, as the victim needs to be the one compromising itself, either by downloading a malicious attachment or visiting a malicious website where they’ll submit their credentials. 

Threat actors will often use email, to try and “lure” people into making the mistake, often warning victims about a “problem” that needs to be urgently addressed.

Via: BleepingComputer (opens in new tab)

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

See more Computing news