Single sign-on (SSO) has made life easier for a lot of folks out there. By allowing users to log in using a single ID across multiple related but independent systems, this reduces password fatigue and makes logging in to multiple accounts at the same time relatively easy. The flip side of this increased convenience is that users have gotten accustomed to popup windows asking for their credentials. Browser in the browser (BitB) attacks leverage this established comfort by simulating another browser window within the malicious page, which can be made nearly impossible to distinguish from the real deal.
Many of us still remember what the Internet browsing experience of the late 1990’s was like. You would open an unfamiliar website and suddenly your browser window would be filled with a swarm of pop-up ads. Users quickly grew tired of this intrusive marketing technique, and the early 2000’s saw the emergence of pop-up and ad blockers as browser extensions. A lot of websites started incorporating these features as well; gone were the days of having to close a dozen little ads.
But, as is the way of the world, what was once old is new again. Pop-ups are back, this time serving a different purpose as the gateways to SSO (or single sign-on) log-ins. Single-sign on allows users to securely authenticate with multiple applications and websites using a single set of credentials. When logging in to an application or a website you are asked to create a new separate account for that service, or you can opt to use your existing credentials from a different service, such as Google or Facebook, to log in. As shown in the example below, choosing to use SSO causes a pop-up browser window to appear, asking for your username and password from a different service... the two most prominent examples being Google, Facebook, and sometimes Apple. In the example below, Facebook is being used as the gateway to Canva.
This fake pop-up login page can then include all the usual credential harvesting tricks used by attackers, such as asking for the password multiple times in the hopes of getting several passwords for the same user. When the credentials are finally accepted, the user might even be redirected to a legitimate website to diminish suspicion.
So how can a user tell the pop-up login window they’re being presented is fake? One way is by checking the URL of the underlying website, something few will realise to do as they will likely focus on the URL presented in the pop-up window instead. A quick and easy way to tell that the pop-up window is fake is to try dragging the pop-up outside the browser window: a fake pop-up window will stop at the border of the browser window, while a legitimate login pop-up can be moved outside these borders.