Browser-In-Browser Could Steal Passwords

John Lister's picture

A security researcher has warned that a fake browser could be used to more effectively scam users into handing over login details. Password managers and similar tools may be one way to combat the tactic.

The warning comes from a security researcher who chooses to use the pseudonym mrd0x. They dubbed the approach a "browser-in-the-browser" attack. (Source:

The tactic would take advantage of websites that have registration and accounts but let users sign in with a third party account such as Google or Facebook. This works by displaying a pop-up window that's hosted by the third party rather than being part of the website itself. (Source:

Once the user has correctly inserted their details in the box, the third-party verifies the login and sends confirmation of the user's identity back to the website.

Bogus Window Is Bad News

According to mrdOx, the problem comes if the website itself is shady. Using JavaScript, the site could build the "pop-up" into the web page and have it appear when the user clicks a button to trigger the third-party login.

The supposed pop-up would actually be part of the rogue site and could capture the log-in details for the third party. To make things worse, the pop-up window would have a fake URL to make it look more credible.

With such an approach, the biggest challenge would fall back to being the need to get the victim on the bogus webpage in the first place, as well as making it look credible.

Password Manager May Not Be Fooled

The simplest way to avoid the problem would be to avoid using third-party sign-in altogether and instead use a unique password for every site. That's certainly more inconvenient but has the benefit that it makes it harder for tech giants to track online activity.

Another "workaround" of sorts is to use password manager tools. These should refuse to auto-fill the username and password boxes because they recognize the supposed log-in box is not actually hosted on the third-party site.

What's Your Opinion?

Do you use third-party logins? Does this warning make you less likely to use them? Do you think you're safe enough spotting scam websites in the first place?

Rate this article: 
Average: 4.9 (10 votes)


buzzallnight's picture

Does this warning make you less likely to use them? yes

Do you think you're safe enough spotting scam websites in the first place? probably

pctyson's picture

I already loathe how much information Google & Microsoft have on me. I refuse to use a site that requires a Google or Microsoft sign-on. When given the option, I always create a new user and password for each site and rarely reuse the same password. Yes it is FAR more difficult to keep track of all the different logins but it is likely much less difficult to do this than to repair a stolen identity.