Single Sign-On (SSO), an identity verification method that helps people sign into various online accounts without needing a password, can be spoofed, enabling threat actors to steal login credentials or multi-factor authentication (MFA) key.

A cybersecurity researcher going by the name mr.d0x published a template on GitHub, which uses the Browser in the Browser (BitB) attack method to create a fake browser window within a real one. The template is available for Chrome for both Windows and Mac, for both light and dark themes. 

Similar methods have been around in the past, with the main difference now being a widely available template which threat actors can now simply download, edit to their liking, and display using an iframe.


An SSO prompt usually comes in the form of a pop-up, where people can log into accounts simply by choosing one of the pre-existing accounts they have, either with Google, Facebook, Twitter, or similar. 

Speaking to BleepingComputer, mr.d0x said the templates were “simple to use”, and quite convincing. Attackers can also add the HTML for the login form directly into the template, he added, further stating how, in that case, the attackers would need to properly align the form with CSS and HTML. 

Some people already tested it out, saying they successfully tweaked it to steal MFA keys. 

Phishing is one of the most common cyberattack types today. They are essentially a scam attempt, as the victim needs to be the one compromising itself, either by downloading a malicious attachment or visiting a malicious website where they’ll submit their credentials. 

Threat actors will often use email, to try and “lure” people into making the mistake, often warning victims about a “problem” that needs to be urgently addressed.

Via: BleepingComputer