BitB (Browser in the Browser) scheme / attack

I found this a very interresting read.


Interesting. What about not using a Google, Apple or Facebook ID? I always recommend making a new account with its own password and not logging in with Google e.g.

Ah, but then you’re forgetting the built in laziness of your average internet user nowadays.
If i had a euro for everytime i’ve heard this: “O come on, do i really need to create a new user and password? Why can’t i use the same everywhere?”, i’d be rich by now.
And this is said in an environment with AD running. So there’s a lot one can use with his user/password, within the organization already.
The difficult answer to the question: a password manager. But that seems a bridge too far for a lot of people…