article featured image


When logging onto websites, users often have the choice of signing in with Google, Microsoft, Apple, Twitter, or even Steam.

A single-sign-on (SSO) browser window will open, inviting the user to input their credentials and log into their account when clicking the Login in Google or login in App buttons.

While the address bar is blocked in these SSO windows, the user may still use the displayed URL to verify if it’s logged in through a real google.com domain. This URL further establishes the form’s trustworthiness, allowing for the input of login credentials with confidence.

Threat actors have tried to generate similar bogus SSO windows in the past using HTML, CSS, and JavaScript, but the windows are often a bit wrong, making them seem suspicious.

What Happened?

This is where a new “Browser in the Browser (BitB) Attack” comes into play, which utilizes pre-made templates to build phony but realistic Chrome popup windows with configurable address URLs and names for use in phishing assaults.

As BleepingComputer reports, this exploit produces bogus browser windows within legitimate browser windows (Browser in the Browser) in order to conduct convincing phishing assaults.

Mr.d0x, a security researcher, designed the Browser in the Browser attack templates and made them available on GitHub. According to Mr.d0x, the templates are very easy to use in order to create convincing Chrome windows that show single sign-on login forms for any website.

Fortunately for us, replicating the entire window design using basic HTML/CSS is quite simple. Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it is basically indistinguishable. The image below shows the fake window compared to the real window. Few people would notice the slight differences between the two.

JavaScript can be easily used to make the window appear on a link or button click, on the page loading, etc. And of course, you can make the window appear in a visually appealing manner through animations available in libraries such as JQuery.


According to the researcher, red teamers could simply download the templates, alter them to include the appropriate URL and window title, and then show the login form through an iframe.

With this technique we are now able to up our phishing game. The target user would still need to land on your website for the pop-up window to be displayed. But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so).


However, now that prefabricated Chrome window templates are accessible, red teamers may use them to generate convincing phishing sign-in forms to assess their customers’ or own company’s workers’ defenses.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo