Heads up, Apple Safari users! A clever trick leveraging the browser’s Fullscreen API is being actively exploited by hackers to steal your login credentials, security firm SquareX warns. This “Browser-in-the-Middle” attack is alarmingly effective, precisely because it makes a fake, remote browser look indistinguishable from your real one.
Security researchers at SquareX have sounded the alarm, noting an uptick in attacks that abuse Safari’s Fullscreen API functionality. This feature, designed to allow web developers to present specific elements in an immersive fullscreen mode, has become a potent tool for cybercriminals. They are using it in conjunction with a technique known as a “Browser-in-the-Middle” (BitM) attack.
How the Deception Works: The Invisible Hijack
The core of the attack is deceptively simple: victims are tricked into interacting with a remote browser that is entirely under the attacker’s control. The crucial element? This malicious browser is displayed in fullscreen mode. By doing so, it effectively hides all the usual browser interface (UI) elements and system indicators – including the address bar which would typically reveal the true, malicious URL.
Unsuspecting users, believing they are on a legitimate website, proceed to enter their login details for various accounts. While they successfully log in, the entire process occurs on the attacker’s machine. This grants the hackers unfettered access to harvest valuable data, including:
-
Login credentials (usernames and passwords)
-
Authentication cookies (which can bypass 2FA in some cases)
-
Other sensitive session information
“SquareX’s research team has observed multiple instances of the browser’s FullScreen API being exploited…displaying a fullscreen BitM window that covers the parent window’s address bar,” the researchers stated in their report.
Why Safari is a Prime Target: The Subtle Alert Problem
While this type of attack can theoretically work on any browser, SquareX highlights a “limitation specific to Safari browsers that makes fullscreen BitM attacks especially convincing.” The issue boils down to how Safari notifies users when a window enters fullscreen mode.
Competing browsers, such as Chromium-based ones (like Google Chrome and Microsoft Edge) or Mozilla Firefox, typically display a clear, often persistent, visual alert when fullscreen mode is active. While users might still occasionally miss these alerts, the chance is significantly lower.
Safari, however, lacks such an obvious notification. Instead, the only signal is a brief “swipe animation” as the window transitions to fullscreen. SquareX argues this animation “can easily be missed,” leaving users unaware that their entire screen has been taken over by a potentially malicious remote view.
“While the attack works on all browsers, fullscreen BiTM attacks are particularly convincing on Safari browsers due to the lack of clear visual cues when going fullscreen,” SquareX concluded.
Apple’s Stance: “Guardrails in Place”
The researchers did report their findings to Apple. However, the tech giant has reportedly decided not to pursue the matter further at this time. Apple’s apparent position is that the existing animation provides a sufficient signal to users, and that “guardrails are in place.”
This response leaves Safari users in a precarious position, relying on a subtle animation to detect a potentially devastating credential theft attack. As hackers continue to refine their techniques, the lack of a more prominent fullscreen warning in Safari could make its users increasingly vulnerable to these convincing Browser-in-the-Middle schemes. Users are advised to be extra vigilant about unexpected fullscreen transitions and any unusual behavior when logging into sensitive accounts.
