Browser-In-The-Browser Exploit Demo
Warning! The following page contains important knowledge!
Have you heard of the browser-in-the-browser attack? Learn how to stay safe and spot fakes!
There’s a new technique on the internet designed to fool you into giving up your credentials. It’s called the browser-in-the-browser attack, and if you’re not paying attention, you might just give away the keys to the kingdom.
The pop-up below looks pretty realistic, doesn’t it? Especially if you’re using Google Chrome in light mode? Well, go ahead – try and log in! And when you’re done, scroll down.
Everything is okay. You have not been hacked. Today.
You probably saw an error message, because this is a harmless demonstration.
However, if this was real, your information would have been compromised.
In the wild, this technique is actively being used to simulate login pages from Microsoft, Google, Facebook, Twitter, and other “single sign-on” providers.
The fake window shows an HTTPS address. It even shows the “security padlock”. The normal security cues are present, lulling you into a false sense of safety. But in reality, this is a demo that our developer threw together at 1am. Malicious hackers will devote as much time as necessary to tricking you out of your credentials, your assets, and your reputation.
How to spot this attack and stay safe
- Know where you are. Don’t just click on random websites without thinking.
- Pay attention to what’s happening. If you’re browsing the internet and a window appears asking you to “sign in”, think twice!
- Don’t sign in to pop-up windows! Open a new tab or window, then visit the sign-in site (Google, Microsoft etc.) directly.
- When possible, DO NOT use third-party websites to sign in. Yes, it’s convenient – but often unnecessary.
Share this page with your contacts, and help them stay safe!