Recommended reading

This worrying Apple Safari security bug could leave users wide open to cyberattacks

News
By published

However Apple doesn't think it's worth addressing

The Safari icon on an iPhone next to an iPhone showing the Chrome logo
(Image credit: Apple / Shutterstock / Funstock)
  • SquareX says hackers can abuse the Fullscreen API in Safari to trick people into running remote browsers
  • The browser-in-the-middle attack is good for stealing login credentials
  • Apple says guardrails are in place and will not pursue it further

Fullscreen API, a functionality in the Apple Safari browser which allows web developers to present specific elements in fullscreen mode, has a vulnerability that is being abused in convincing password theft attacks, experts have warned.

Security researchers SquareX claim to have observed an increase in use in this type of attack, which leverages the browser-in-the-middle (Bitm) technique.

Essentially, victims get tricked into interacting with a remote browser that’s under the attackers’ control. Since the browser is in full-screen mode, user interface (UI) and system elements are hidden, making spotting the attack somewhat more difficult.

Guardrails in place

As a result, the victims log into different accounts in a remote browser, thinking they’re doing it on their own device.

They still log in, but the process is done on the attacker’s machine, which allows them to harvest login credentials, authentication cookies, and more.

“SquareX’s research team has observed multiple instances of the browser’s FullScreen API being exploited to address this flaw by displaying a fullscreen BitM window that covers the parent window’s address bar, as well as a limitation specific to Safari browsers that makes fullscreen BitM attacks especially convincing,” the researchers said in the report.

The “limitations specific to Safari browsers” the researchers mentioned are apparently about notifications, since the Apple browser allegedly doesn’t properly alert users when a browser window enters fullscreen mode.

The researchers said that competing browsers, such as Chromium-based ones, or Firefox, show an alert whenever fullscreen is active. While they might still miss the alert, the chances are smaller compared to Safari, where there is no alert. Instead, the only signal is a swipe animation that, as the researchers claim, can easily be missed.

"While the attack works on all browsers, fullscreen BiTM attacks are particularly convincing on Safari browsers due to the lack of clear visual cues when going fullscreen," SquareX concluded.

The researchers also said they reached out to Apple, who decided not to pursue it further - as apparently, the animation is signal enough.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.