Listen to this Post
A critical weakness in Apple’s Safari web browser enables threat actors to exploit the Fullscreen API, facilitating browser-in-the-middle (BitM) attacks to steal user credentials. Attackers manipulate fullscreen mode to hide browser guardrails, making malicious pages appear legitimate.
You Should Know:
How the Exploit Works
- Fullscreen API Abuse β Attackers use JavaScript to force fullscreen mode, hiding the URL bar and security indicators.
document.documentElement.requestFullscreen();
- Phishing Page Overlay β A fake login page mimics legitimate sites (e.g., Apple ID, banking portals).
- User Input Capture β Credentials entered in the fake window are exfiltrated to attacker-controlled servers.
Detection & Mitigation
- Check for Suspicious Scripts (Browser DevTools):
// Monitor Fullscreen API calls document.addEventListener('fullscreenchange', () => { console.log("Fullscreen triggered by:", document.fullscreenElement); }); - Disable Automatic Fullscreen (Safari Workaround):
defaults write com.apple.Safari AllowFullscreen -bool false
- Browser Extensions β Use NoScript or uBlock Origin to block unauthorized scripts.
Linux/Windows Commands for Analysis
- Check Network Traffic for Exfiltration (Linux):
sudo tcpdump -i eth0 'port 80 or port 443' -w traffic.pcap
- Inspect Suspicious Processes (Windows):
Get-Process | Where-Object { $_.CPU -gt 50 } | Format-Table -AutoSize
Manual Verification Steps
1. Verify SSL Certificates:
openssl s_client -connect example.com:443 | openssl x509 -noout -text
2. Check for Hidden Elements (Browser Console):
document.querySelectorAll(':not(:visible)');
What Undercode Say
This Safari flaw highlights the risks of excessive API permissions. While Chromium browsers partially mitigate BitM attacks via persistent security UI, Safariβs implementation lacks robust warnings. Enterprises should enforce strict CSP headers and train users to manually exit fullscreen (β+Ctrl+F on macOS) when URLs disappear. Future Safari updates may restrict fullscreen triggers without user gestures.
Expected Output:
- Mitigation: Disable Safari fullscreen via terminal (macOS) or use Firefox with `resistFingerprinting` enabled.
- Detection: Monitor for unexpected fullscreen events in browser logs.
- URLs: BleepingComputer Report
Prediction
Phishing campaigns will increasingly abuse fullscreen APIs across browsers, pushing vendors to implement stricter user consent prompts. Zero-trust frameworks will integrate fullscreen event monitoring by 2026.
IT/Security Reporter URL:
Reported By: Wayne Shaw – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass β
