Hundreds of thousands of sites use the OAuth protocol to let visitors login using their existing accounts with companies like Google, Facebook, or Apple. Instead of having to create an account on the new site, visitors can use an account that they already have — and the magic of OAuth does the rest. The Browser-in-the-Browser (BitB) technique capitalizes on this scheme. Instead of opening a genuine second browser window that’s connected to the site facilitating the login or payment, BitB uses a series of HTML and cascading style sheets (CSS) tricks to convincingly spoof the second window. The URL that appears there can show a valid address, complete with a padlock and HTTPS prefix. The layout and behavior of the window appear identical to the real thing. Source: Browser-in-the-Browser Attack Can Trick Even Savvy Users – Slashdot