A weak spot in Apple’s Safari internet browser permits menace actors to leverage the fullscreen browser-in-the-middle (BitM) method to steal account credentials from unsuspecting customers.
By abusing the Fullscreen API, which instructs any content material on a webpage to enter the browser’s fullscreen viewing mode, hackers can exploit the shortcoming to make guardrails much less seen on Chromium-based browsers and trick victims into typing delicate knowledge in an attacker-controlled window.
SquareX researchers noticed a rise use of such a malicious exercise and say that such assaults are notably harmful for Safari customers, as Apple’s browser fails to correctly alert customers when a browser window enters fullscreen mode.
“SquareX’s analysis workforce has noticed a number of cases of the browser’s FullScreen API being exploited to handle this flaw by displaying a fullscreen BitM window that covers the dad or mum window’s tackle bar, in addition to a limitation particular to Safari browsers that makes fullscreen BitM assaults particularly convincing,” describes the report.
How BitM works
A standard BitM assault includes tricking customers into interacting with an attacker-controlled distant browser that reveals a professional login web page. That is achieved by way of instruments like noVNC – an open-source VNC browser consumer, which opens a distant browser on prime of the sufferer’s session.
Supply: SquareX
Because the log in course of occurs within the attacker’s browser, the credentials are collected however the sufferer additionally efficiently accesses their account unaware of the theft.
The assault nonetheless requires tricking the sufferer into clicking on a malicious hyperlink that redirects them to a faux web site impersonating the goal service. Nonetheless, this may be simply achieved by way of sponsored advertisements in internet browsers, social media posts, or feedback.
Supply: SquareX
Fullscreen deception
If customers miss the suspicious URL within the browser bar and click on on the log in button, the BitM window turns into lively. Till triggered, the window stayed hidden from the sufferer in minimized mode.
If customers miss the suspicious URL within the browser bar and click on on the log in button, which prompts the BitM window that was hidden from the sufferer in minimized mode.
As soon as activated, the attacker-controlled browser window enters fullscreen mode and covers the faux web site, exhibiting to the consumer the professional web site they wished to entry.
Safety options like EDRs or SASE/SSE gained’t set off any warnings when this occurs, because the assault abuses customary browser APIs.
The researchers clarify that Firefox and Chromium-based browsers (e.g. Chrome and Edge) present an alert at any time when fullscreen is lively. Though many customers might miss the warning, it’s nonetheless a guardrail that lowers the danger of a BitM assault.
Supply: SquareX
Nonetheless, on Safari there may be no alert and the one signal of a browser coming into fullscreen mode is a “swipe” animation that may be simply missed.
“Whereas the assault works on all browsers, fullscreen BiTM assaults are notably convincing on Safari browsers as a result of lack of clear visible cues when going fullscreen,” SquareX researchers say.
SquareX contacted Apple with its findings and obtained a “wontfix” reply, the reason obtained being that the animation is current to point modifications, and that ought to be sufficient.
BleepingComputer has additionally reached out to Apple for a remark, however we’re nonetheless ready for his or her response.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the way to defend in opposition to them.
