SecOpsJan Kahmen5 min read

What is a Browser-in-the-Browser Attack?

A type of phishing attack, browser-in-the-browser (BitB), simulates a login window with a fake domain name inside a parent browser window to steal credentials.

Table of Content

What is a Browser-in-the-Browser?

An Infosec researcher and pentester, mr.d0x, discovered a security attack that is now recognized as the browser-in-the-browser (BITB) attack. He acknowledged that current web development technologies such as HTML, CSS, and JavaScript tools are so powerful that they are able to generate any display on the web page, from fields in any colour and design to animations that appear like the interactive components of the user interface. This implies that phishers can use these tools to replicate a full-page of another service within their own website.
If a user opts for single sign-on (SSO) to gain access to multiple interconnected websites or web applications, they may be exposed to malicious pop-ups designed to collect sensitive information from the user, such as login credentials. This type of phishing attack differs from a Browser attack in that it will display any URL that closely resembles a legitimate one. Cybercriminals can create a webpage inside a Browser which mimics a legitimate domain, thus exploiting users' preference for single sign-on who opt not to remember lengthy login credentials.
Cybercriminals can take advantage of users being unable to differentiate between a legitimate and a malicious domain once a pop-up window appears, thus increasing the risk of businesses offering single sign-on across their multiple applications getting exposed to browser attacks. For these businesses it is essential to be aware of the risks connected to SSO and implement rigorous security protocols to protect consumer information from harm.

What is the Best Way to Tell if the Login Window is Real or Fake?

Identifying fake login windows can be done in a few ways, even though it might not appear to be obvious. Login windows are browser windows, and they behave as such; they can be maximized, minimized, and repositioned on the screen. In contrast, fake pop-ups cannot be moved. Furthermore, they may obscure buttons and images in their borders, but only within their area.
To check if your login form is legitimate, you can try these steps:

  • If the form appears in a browser window, it should be minimized. Additionally, if the login box is located in a separate window and then disappears, it is likely a fraudulent website. To ensure safety, it is essential to keep a legitimate window visible at all times.
  • If the login window is moved beyond the boundaries of the parent window, logging in will prove to be difficult. A genuine window can go beyond the boundaries, whereas a counterfeit one will not.
  • If the login form behaves in a strange manner, such as being minimized alongside another window, or hiding beneath the address bar or disappearing underneath it, do not enter your credentials.


It may seem at first that the attack is dangerous, but in reality it can be managed with an appropriate security solution. Even if a malicious site appears to be legitimate, the true address remains the same, and it's this that a security solution uses to detect anything suspicious.

Invest in a reliable password manager for all your accounts to ensure the authentic address of any website you visit. Additionally, make sure never to enter your credentials on a site you don't recognize, no matter how trustworthy it may seem. To further fortify your security, install a sturdy security solution that includes an anti-phishing feature. This will help verify the URL and alert you to any unsafe sites.

Don't forget to turn on two-factor authentication if it's available. This will stop intruders from being able to access your account, even if they get ahold of your credentials, because they won't be able to use the one-time code sent to you.

If you need extra security for high-risk accounts, U2F hardware tokens (YubiKey being the most popular) is what we suggest. This system verifies not just the address, but also the encryption key of a website, making it impossible for anyone to pass through the authentication process even if a website looks identical to the original.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.