- Squarex says that hackers can abuse the Safari full screen API to encourage people to run away the distant browsers
- The browser attack in the environment is good for stealing connection identification information
- Apple says that the railings are in place and will not pursue it further
The full screen API, a feature of the Apple Safari browser which allows web developers to present specific elements in full screen mode, has a vulnerability which is abused to convince the flight of password attacks, the experts warned.
Squarex safety researchers claim to have observed an increase in the use of this type of attack, which exploits the browser technique in the environment (BitM).
Essentially, the victims are deceived to interact with a distant browser who is under the control of the attackers. Since the browser is in full screen mode, the user interface (IU) and the system elements are hidden, which makes the location of the attack a little more difficult.
Gardement in place
Consequently, the victims connect to different accounts in a distant browser, thinking that they do it on their own device.
They always connect, but the process is done on the attacker’s machine, which allows them to collect connection identification information, authentication cookies, etc.
“Squarex’s research team has observed several instances of the full screen API of the browser exploited to approach this defect by displaying a full -screen BitM window which covers the address bar of the parent window, as well as a specific limitation to safari browsers which make BitM attacks with full screen in particular convincing,” said the researchers in the report.
“Specific limitations for safari browsers” that the researchers mentioned apparently concern notifications, because the Apple browser does not lend users correctly when a browser window enters full screen mode.
The researchers said that competing browsers, such as those based on Chrome, or Firefox, show an alert whenever the full screen is active. Although they can still miss the alert, the chances are smaller compared to Safari, where there is no alert. Instead, the only signal is a slide animation which, as researchers claim, can easily be missed.
“While the attack works on all browsers, BitM attacks in full screen are particularly convincing on safari browsers due to the lack of clear visual clues when they become in full screen,” said Squarex.
The researchers also said they had contacted Apple, who decided not to continue it further – because apparently the animation is sufficiently reported.
Via Bleeping Compompute
