This ‘browser in browser’ attack will steal your passwords — here’s how to avoid it | #microsoft | #hacking | #cybersecurity


There’s a new way to steal your passwords and other vital information, and it’s so well done that most people would fall for it.

A pseudonymous hacker called “mr.d0x” last week put up a blog post detailing a very good “browser in the browser” attack in which an attacker creates a fake pop-up login window within a web page.

The “window” isn’t really a pop-up, but instead part of the underlying web page. However, mr.d0x has rigged it so that you can actually “grab” the pop-up window and move it around by clicking the title bar with your mouse cursor.

(Image credit: mr.d0x)

That’s pretty convincing, even though you might not be able to resize the fake window or scroll through it, and you definitely wouldn’t be able to drag it past the edge of the underlying web page’s window.

Nonetheless, most people will be fooled. The fake pop-up can mimic an Apple, Facebook, Google or Microsoft login page perfectly, right down to an icon in the title bar and a URL in the address bar.

Two Facebook single sign-on pop-up windows, fake and real. The only difference is that the real one can be scrolled.

Fake and real Facebook single sign-on windows, fake and real. The real one can be scrolled. (Image credit: mr.d0x)

How to avoid being fooled by a fake pop-up window



Original Source link

Leave a Reply

Your email address will not be published.

forty eight + = fifty two