- Squarex says that computer pirates can abuse full screen API in Safari to deceive people to run remote browsers
- The browser attack is good for stealing login credentials
- Apple says that railings are in place and will not follow it anymore
The full -screen API, a functionality in the Apple Safari browser that allows web developers to present specific elements in full screen mode, has a vulnerability that is abusing the attacks of theft of convincing passwords, experts have warned.
Squarex security researchers claim to have observed an increase in use in this type of attack, which takes advantage of the technique of the browser in the medium (BITM).
Essentially, the victims are deceived to interact with a remote browser that is under the control of the attackers. Since the browser is in full screen mode, the user interface (IU) and the system elements are hidden, which makes the attack attack difficult.
Railings in place
As a result, the victims log in to different accounts in a remote browser, thinking that they are doing it on their own device.
They still log in, but the process is carried out on the attacker’s machine, which allows them to harvest login credentials, authentication cookies and more.
“The Squarex research equipment has observed multiple instances of the full screen of the browser that is being exploited to address this defect showing a full -screen bitm window that covers the direction bar of the main window, as well as a specific limitation of safari browsers that causes full -screen bitm attacks to be especially convincing,” the researchers said in the report.
The “specific limitations for safari browsers” mentioned by researchers are apparently notifications, since the Apple browser supposedly does not correctly alert users when a browser window enters full screen mode.
The researchers said that competitors, such as chromium -based, or Firefox, show an alert every time the full screen is activated. While they can still lose the alert, the possibilities are smaller compared to Safari, where there is no alert. Instead, the only signal is a landslide animation that, as the researchers claim, can be easily lost.
“While the attack works in all browsers, full -screen bitm attacks are particularly convincing in Safari browsers due to the lack of clear visual signals when they go to the full screen,” Squarex concluded.
The researchers also said they communicated with Apple, who decided not to follow him, as apparently, animation is enough.
Through Bleepingcomputer
