When we teach people how to avoid falling victim to phishing sites, we usually advise closely inspecting the address bar to make sure it does contain HTTPS and that it doesn’t contain suspicious domains such as google.evildomain.com or substitute letters such as g00gle.com. But what if someone found a way to phish passwords using a malicious site that didn’t contain these telltale signs?
One researcher has devised a technique to do just that. He calls it a BitB, short for "browser in the browser." It uses a fake browser window inside a real browser window to spoof an OAuth page. Hundreds of thousands of sites use the OAuth protocol to let visitors login using their existing accounts with companies like Google, Facebook, or Apple. Instead of having to create an account on the new site, visitors can use an account that they already have—and the magic of OAuth does the rest.
Exploiting trust
The photo editing site Canva, for instance, gives visitors the option to login using any of three common accounts. The images below show what a user sees after clicking the "sign in" button; following that, the image show what appears after choosing to sign in with a Google password. After the user chooses Google, a new browser window with a legitimate address opens in front of the existing Canva window.
Read 15 remaining paragraphs | Comments
https://ift.tt/xMFGbul
Comments