Skip to content

Now anyone can create fake Chrome window

  • by
  • 2 min read

A toolkit created by security researcher Mr.Dox can now let just about anyone create Chrome’s SSO windows for a novel “Browser in the Browser” attack phishing people for their login credentials.

These days, many websites have added login options where users can log in with their Google, Facebook, or other accounts. Doing so launches an additional window called the single sign-on or SSO windows that are stripped down just to a login form and the URL so you’d know you’re on the right page.

Hackers have attempted to rebuild these windows using vanilla HTML, CSS and JavaScript, but they’ve always looked slightly different. However, this new exploit creates templates for these SSO windows for Chrome on Windows and Mac and even have dark and light mode variants.

In the News: Netflix is testing a pay to share model in Chile, Costa Rica, and Peru

Is the browser really your browser?

According to the researchers, users can simply download the templates, edit them to include the desired URL and window title and use an iframe tag to use them in their web pages. 

Kuba Gretzky, the creator of the Evilgnix phishing toolkit, also tested out the new method and reported that it works perfectly with the Evilgnix platform, meaning the toolkit can be adapted to steal two-factor authentication keys in phishing attacks. 

These types of fake SSO window phishing attacks aren’t new either. Fake gaming sites have previously used them to steal Steam credentials in 2020. 

However, now that these templates are freely available, chances are we’ll be seeing a lot more of such attacks. Redteamers can also use them to create phishing pages to test their company’s or client’s defences. 

In the News: ApeCoin: Bored Ape Yacht Club’s fresh crypto venture


Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: [email protected].