- SquareX says hackers can abuse the Fullscreen API in Safari to trick people into running remote browsers
- The browser-in-the-middle attack is good for stealing login credentials
- Apple says guardrails are in place and will not pursue it further
Fullscreen API, a functionality in the Apple Safari browser which allows web developers to present specific elements in fullscreen mode, has a vulnerability that is being abused in convincing password theft attacks, experts have warned.
Security researchers SquareX claim to have observed an increase in use in this type of attack, which leverages the browser-in-the-middle (Bitm) technique.
Essentially, victims get tricked into interacting with a remote browser that’s under the attackers’ control. Since the browser is in full-screen mode, user interface (UI) and system elements are hidden, making spotting the attack somewhat more difficult.
Guardrails in place
As a result, the victims log into different accounts in a remote browser, thinking they’re doing it on their own device.
They still log in, but the process is done on the attacker’s machine, which allows them to harvest login credentials, authentication cookies, and more.
“SquareX’s research team has observed multiple instances of the browser’s FullScreen API being exploited to address this flaw by displaying a fullscreen BitM window that covers the parent window’s address bar, as well as a limitation specific to Safari browsers that makes fullscreen BitM attacks especially convincing,” the researchers said in the report.
The “limitations specific to Safari browsers” the researchers mentioned are apparently about notifications, since the Apple browser allegedly doesn’t properly alert users when a browser window enters fullscreen mode.
The researchers said that competing browsers, such as Chromium-based ones, or Firefox, show an alert whenever fullscreen is active. While they might still miss the alert, the chances are smaller compared to Safari, where there is no alert. Instead, the only signal is a swipe animation that, as the researchers claim, can easily be missed.
“While the attack works on all browsers, fullscreen BiTM attacks are particularly convincing on Safari browsers due to the lack of clear visual cues when going fullscreen,” SquareX concluded.
The researchers also said they reached out to Apple, who decided not to pursue it further – as apparently, the animation is signal enough.
Via BleepingComputer
Leave a comment