Brave UI should be unique to prevent picture-in-picture attacks

[mikemaccana]

Here's the current Brave chrome showing a site which in turn shows a fake browser UI, to steal your cyber goodies:

By making the real chrome unique to the user, it's more obvious that the fake browser UI is fake:

[bbondy]

Good idea, maybe we can allow customizing the lion icon? This seems like an easy differentiating win. Thoughts @diracdeltas @bradleyrichter ?

[bradleyrichter]

@mikemaccana Interesting idea and problem to solve.

We need the lion icon as a UI button that will allow quick access to various features of Brave's ad/tracker control, as well as micropayment toggles per-site.

Is there a way to hide the browser's identity from the cyber-criminal requiring them to guess which browser it is? Other than having support for custom themes, I am not sure there is an easy way to completely prevent this problem since the user may still be confused by a fake window that has even 30% of the recognizable UI elements.

We should monitor this problem while considering possible solutions. Thanks!

[mikemaccana]

@bradleyrichter In answer to your question, Brave's navigator.userAgent identifies it as Brave, but you can do browser detection via feature detection, eg, if brave has particular globals, or if its inbuilts work differently than other browsers. There may also be legitimate reasons to identify as Brave.

Side note: if Brave decided to do private windows (currently it does private tabs, not sure of the security implication there re: cross tab/same window) the same area with the user avatar could be used to indicate the window as private.

[bbondy]

Is there a way to hide the browser's identity from the cyber-criminal requiring them to guess which browser it is?

Yep user agent but even if there wasn't then nothing stops an attacker from being right 1/Nth of the time.

, I am not sure there is an easy way to completely prevent this problem since the user may still be confused by a fake window that has even 30% of the recognizable UI elements.

There is by allowing a user to put an image themselves into the UI so they can identify the true chrome easily as per suggested originally.

[bradleyrichter]

This may be solved in the future when we add some identity to show you are logged in, or to differentiate between different sessioned tabs, similar to Chrome. The point I was making is that "my mom" will still be fooled by the fake window until it reaches some threshold of looking different.

Chrome user:

past the threshold example:

[diracdeltas]

Thanks @mikemaccana, this is great to think about. I agree with Brad's skepticism that users will be able to tell a fake window from a real one even if there are user-unique elements in the real window. Even if they put a user-chosen picture into the real window, people might not remember to look for it in the fake window before entering their password or assume that it not being there is a browser bug.

@collinjackson @abarth: thoughts on whether this is worth mitigating?

[bradleyrichter]

closing this in hoping that we don't find this to be a problem but will of course solve it at that point if needed.

[bbondy]

Also cc'ing @ericlaw1979 in case he can share an opinion.

[ericlaw1979]

I like theming myself, but all of the research I've seen says it does not meaningfully improve security. I'll blog an amusing/scary anecdote on this soon.

[bsclifton]

I don't think customizing would solve the issue at all (opinion). This is an interesting problem to solve. I'd be more interested in exploring scanning images to look for OS widgets (close button, minimize, maximize, etc). This would be ridiculously expensive of course, but it's got me intrigued now

[ericlaw1979]

Image analysis would never work; attackers would just tune the attacks to bypass, and the performance impact would be horrific.

[bsclifton]

@ericlaw1979 did you ever post that anecdote? :smile: