BitM Shield

Browser-in-the-Middle is a phishing technique that streams an attacker-controlled browser to the victim through noVNC. The victim sees the real Google or Microsoft login page rendered through an attacker's relay, types their password and 2FA code, and the attacker captures everything as it flows through. FIDO2 and passkeys don't help: the attacker's browser holds the authenticated session, not yours. The page being rendered is real Google or Microsoft, so domain blocklists and HTTPS checks pass cleanly. Phishkit signature scanners have nothing to fingerprint because there is no HTML clone.

BitM Shield watches for fingerprints that real login pages never produce. The strongest signal is the RFB protocol handshake: noVNC's first server message is the literal string `RFB 003.xxx`, and nothing legitimate on the web sends that byte sequence in a WebSocket frame. Other signals include noVNC library globals like `window.RFB`, the `#noVNC_canvas` DOM element, canvas-only login pages with no real password input, and origin mismatches where a page mimics a real IdP from a different hostname. Each signal contributes to a weighted risk score that drives one of three states: safe, caution, or danger. The warning attaches via Shadow DOM so the underlying page cannot remove or restyle it. An 8-second cooldown on the dismiss button prevents accidental click-through.

The extension is open source and MIT licensed. The Chrome Web Store listing is coming after a review period. For now, install manually: clone the repo, open `chrome://extensions/`, enable Developer mode, click Load unpacked, and select the folder. The shield icon appears in your toolbar. Source code, install instructions, detection details, and security policy are all on the repository: https://github.com/lexlabtools/bitm-shield