A penetration tester and security researcher created a novel phishing technique that makes phishing nearly invisible. The attack, dubbed Browser-in-the-Browser (BitB), can acquire sensitive information of users.

About BitB attack

According to the researcher named mr.d0x, BitB attack targets third-party single sign-on options on websites that offer popup windows for authentication, such as sign-in with Facebook, Google, Apple, or Microsoft.
  • The researcher believes that it is possible to completely fabricate a malicious version of a popup window to trick the target into giving up information. 
  • They fabricated a log-in window for Canva using basic HTML/CSS.
  • The fake popups simulate a browser window within the browser and subsequently spoof a legitimate domain, which leads to convincing phishing attacks that fool the target.

Once a victim visits the attacker-owned website, they may enter their credentials on a site that appears legitimate, ultimately, giving up their credentials to attackers.

More details

  • The researcher combined a pop-up window design with an iframe pointing to the malicious server hosting the phishing page. 
  • Further, the use of JavaScript can make the window appear on a link and button click or page loading screen.
  • For example, the JQuery JavaScript library can make the window appear visually appealing or bouncy.
  • Moreover, the attack can confuse those who use the trick of hovering over a URL to find out its legitimacy. If JavaScript is permitted, this security safeguard can be bypassed easily.


The novel BitB attack bypasses both a URL with HTTPS encryption and a hover-over-it security check. Further, the use of username and password along with 2FA is completely exposed to such attacks. To stay protected, researchers suggest using secure proof of identity via a registered device or token.

Cyware Publisher