It’s now easier than ever for hackers to abuse Google Chrome

Browser-in-browser attack successfully fakes SSO pages on Google Chrome

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Single Sign-On (SSO), anidentityverification method that helps people sign into various online accounts without needing apassword, can be spoofed, enabling threat actors to steal login credentials or multi-factor authentication (MFA) key.

A cybersecurity researcher going by the name mr.d0x published a template on GitHub, which uses the Browser in the Browser (BitB) attack method to create a fakebrowserwindow within a real one. The template is available for Chrome for both Windows and Mac, for both light and dark themes.

Similar methods have been around in the past, with the main difference now being a widely available template which threat actors can now simply download, edit to their liking, and display using an iframe.

We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time. Thank you for taking part.

Click here to start the survey in a new window«

Browser-ception

An SSO prompt usually comes in the form of a pop-up, where people can log into accounts simply by choosing one of the pre-existing accounts they have, either withGoogle, Facebook, Twitter, or similar.

Speaking toBleepingComputer, mr.d0x said the templates were “simple to use”, and quite convincing. Attackers can also add the HTML for the login form directly into the template, he added, further stating how, in that case, the attackers would need to properly align the form with CSS and HTML.

Some people already tested it out, saying they successfully tweaked it to steal MFA keys.

NameCheap named top phishing site hosting pick by NCSC>Monzo customers bombarded with phishing attacks>Phishing attacks hit more businesses than ever last year

Phishing is one of the most common cyberattack types today. They are essentially a scam attempt, as the victim needs to be the one compromising itself, either by downloading a malicious attachment or visiting a malicious website where they’ll submit their credentials.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Threat actors will often use email, to try and “lure” people into making the mistake, often warning victims about a “problem” that needs to be urgently addressed.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time