Security News > 2022 > September > Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t!

The idea of a BitB attack is to create what looks like a popup browser window that was generated securely by the browser itself, but that is actually nothing more than a web page that was rendered in an existing browser window.
You'd have to admit that the resulting visual content looks exactly like a standalone browser window, even though it's actually a web page inside another browser window.
Of course, if you click on an app screenshot inside a photo browser, you're at very little risk, because the clicks or taps simply won't do what you expect - indeed, you may end up editing or scribbling lines on the image instead. But when it comes to a browser-in-the-browser "Artwork attack" instead, misdirected clicks or taps in a simulated window can be dangerous, because you're still in an active browser window, where JavaScript is in play, and where links still work.
Worse still, any JavaScript running in the active browser window can simulate some of the expected behaviour of a genuine browser popup window in order to add realism, such as dragging it, resizing it, and more.
Browser-in-the-Browser windows aren't real browser windows.
A real browser window will behave independently, so you can move it outside and beyond the original browser window.
News URL
Related news
- Microsoft shares workaround for Windows security update issues (source)
- CrowdStrike Security Report: Generative AI Powers Social Engineering Attacks (source)
- Researchers Expose New Polymorphic Attack That Clones Browser Extensions to Steal Credentials (source)
- Browser-Based Data Leaks: 3 Biggest Data Security Challenges Today (source)
- AI-Powered SaaS Security: Keeping Pace with an Expanding Attack Surface (source)
- Browser-in-the-Browser attacks target CS2 players' Steam accounts (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)