New Browser-In-The Browser (BITB) Phishing Attacks

Web Servers Mobile Networks and Telephones Google
Advisory ID:
March 29, 2022


A coding ruse that is invisible to the naked eye can now be used to trick targets into disclosing sensitive information. The novel phishing technique is known as a browser-in-the-browser (BitB) attack. This type of attack employs bogus popup SSO windows to steal credentials from Google, Facebook, and Microsoft, among others.

Description & Consequence

In this attack, a hacker can use JavaScript code to display a pop-up window that is another phishing sham to trick you into entering your account information. It's difficult to tell whether it's real or not. The novel method makes use of third-party single sign-on (SSO) options embedded on websites that display popup windows for authentication, such as "Sign in with Google," Facebook, Apple, or Microsoft. While the default behavior when attempting to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window. The created popups mimic a browser window within the browser, spoofing a legitimate domain and allowing for convincing phishing attacks. Furthermore, the BitB attack can deceive those who use the trick of hovering over a URL to determine whether it is legitimate or not. As a result, if JavaScript is allowed, the security safeguard becomes ineffective. As a result, the BitB technique undermines both the fact that a URL contains the "https" encryption designation as a trusted site and the hover-over-it security check. Potential victims must be redirected to a phishing domain that can display a fake authentication window in order to harvest credentials. However, once on the attacker's website, the user will feel at ease as they enter their credentials on what appears to be a legitimate website (because the trustworthy URL says so). 

The campaign allows the attacker leverage on the BITB trick to siphon login credentials of victims. Also, the BITB attack bypasses both a URL with HTTPS encryption and a hover-over-it security check.


1.  To stay safe, researchers recommend using secure proof of identity through a registered device or token.

2. Being cautious and refraining from entering sensitive information on an unknown website.

3. As with the browser-in-the-browser exploit, moving the window around quickly reveals that it isn't a legitimate popup, but rather an HTML construction that falls outside the main browser window.

4.  One way to try to avoid these attacks is to use a more secure browser that blocks unknown popups.




Related Articles