Man-in-the-Browser (MitB) Attack Explained
Analogy
Imagine handing a perfectly filled bank transfer form to a bank employee. But just before submitting it, someone invisible in the system quietly changes the recipient and amount. You still get a printed receipt showing what you entered — but your money's already gone to someone else.
That’s what a Man-in-the-Browser (MitB) attack feels like — a silent thief inside your browser.
What is a Man-in-the-Browser Attack?
MitB is an advanced form of a Man-in-the-Middle (MitM) attack, but instead of hijacking data between your browser and the internet, the attacker hijacks it from inside your browser.
They do this using malware (usually a Trojan) that infects your system and secretly alters what your browser sends and receives.
How the Attack Works — Step by Step
1. Trojan Infection
The attacker infects your system with a Trojan using:
Malicious downloads
Phishing emails
Fake software installers
2. Browser Injection
The Trojan installs malicious scripts or browser extensions that hook into your browser.
3. Browser Restarts, Code Activates
Once the browser restarts, the malicious code goes live.
4. Targeted Websites Are Watched
The malware watches for visits to specific sites — e.g., online banking or payment gateways.
5. User Logs In Normally
You log in to your bank with the correct credentials over HTTPS. Everything looks normal.
What Happens Behind the Scenes?
Step 1: Registering a Button Handler
The malware hooks into the browser and waits for actions — like form submissions or clicks.
Step 2: Intercepting & Modifying Data
When you submit a transaction:
The malware reads the form data using the DOM.
It modifies the values silently (e.g., changes ₹100 to ₹10,000 and changes the account).
Step 3: Sending Modified Data
The altered data is sent to the server, which has no idea it’s been tampered with.
Step 4: Altering the Receipt
The server responds with confirmation (for the attacker's version of the transaction), but...
- The malware modifies the receipt back to look like your original request.
Step 5: User is Fooled
You see a receipt for ₹100 to “Person A,” but the bank has actually processed ₹10,000 to “Attacker’s Account.”
Why This Is Dangerous
Invisible to Users
Users see what they expect — everything looks legitBypasses Encryption & 2FA
Because the attack happens after login, inside your trusted browserHard to Detect on the Server Side
The request comes from a legitimate session
How to Defend Against MitB Attacks
Use Endpoint Protection
Anti-malware tools can catch Trojans before they infect the browser.Keep Browsers Updated
Many MitB attacks exploit outdated browser vulnerabilities.Disable Unnecessary Extensions
Avoid shady plugins or extensions with high permissions.Use Out-of-Band Transaction Verification
Banks should confirm actions via SMS, email, or a separate device.Server-Side Anomaly Detection
Monitor for suspicious behavior like changes in beneficiary or amount.Security Awareness for Users
Teach users how to identify phishing emails and fake software.
TL;DR
Trojan infects the browser
Malicious code watches for sensitive actions
Data is modified silently during transactions
Fake confirmation screens trick the user
The attacker successfully steals money or data
Stay tuned — next in the ‘Exploits Explained’ series: Clickjacking.
