Can you be phished when logged in via Google/Facebook?

Let’s say you went to a website that allowed you to log in using your Google account:

When you pressed the “Log in with Google” button, you saw this:

You had checked that the pop-up web-browser window is really at Google’s domain (“”) . So, you entered your Google account name (i.e. your Google email), password and 2-step-verification code.

You should be safe and secure right?


It is still possible that you were phished. In this hypothetical example, even using 2-step verification could not save you. As I wrote before in “You can be phished even when you see “” in address bar.

What happened was that the pop-up window was actually not a web-browser window. It was a realistic render of a web-browser window within the web page.
Take a look at this video to see how realistic the rendering of the fake web-browser window can be:

Recently, someone had released a programming toolkit to create renderings of fake web-browser window for the purpose of phishing. This toolkit makes it extremely easy for miscreants to carry out such phishing attacks.

How can I protect myself?

As I wrote before, a password manager can protect you from such phishing attack. Many password managers (e.g. LastPass, 1Password, iCloud Keychain, and even your web-browser’s built-in password manager) can fill in the password field for you. They will only fill in the correct password when you are at the correct website domain. They cannot be fooled by phishing tricks designed to deceive the human eye.

This is a companion discussion topic for the original entry at

What Level Of Protection Can You Afford?

The question is what do you want to keep private from whom? Ordinary people around the world have no privacy on the internet or telephone nor could they even afford the cost of top level protection. Hardline and radio phone systems are totally surveilled. There was never any internet privacy and it isn’t even possible at the consumer level. Same with the phone systems. There will always someone selling some degree of “protection” but do not confuse that with “privacy”.

Wouldn’t It Be Easier To Just Check The Site Information/certificate?

Thanks. This is a helpful tip for everyday people who are not supser technical. I used to be a full-time tech. and I hadn’t heard of this toolkit. Yikes!
My thought is…wouldn’t it be easier for non-experts to just check the security/certificate in the browser’s address bar? Is there some reason you aren’t satisfied with that information?

Easy Fix

Don’t sign in with Google/Facebook/Linkedin/etc. Sign in to all sites directly.


What if, that toolkit simulate a fake certificate information window from the fake browser address bar?

Q A Testing For Fun And Profit

When I was a software interface tester I used various programs to script functions, features and fuck-ups sorry mis-takes to proof the work of programmers. The toolkit in question sounds to me like some version of QA testing software. Not much of a reach.
And yes, every human action interfacing with a software can be mimicked.
“Resistance is. futile, you will be assimilated (bot lives matter)”

You must be mistaken, as programmers never make mistakes. Even when you show them the problem as it occurs, they will deny it. ?

Is there proof of anything like this yet?

It has not be done yet. But it is well within the realm of possibility.

Back in the day, in times of yore, when net energy from a barrel of extracted oil was crazy high, I think the proper term in use was “design feature”.

1 Like


Leaving aside past allegations of personal data leakage from this social media, let’s be sure that phishing threat exists anywhere. Especially important it is for enterprises, because at stake there is not just some telephone number or a bikini-clad image, but serious industrical information. So we use intexsoft to develop all our corportate software and apps as I want to be sure that everything is safe.