A sophisticated Browser-in-the-Middle (BitM) attack that specifically targets Safari users by exploiting vulnerabilities in the browser’s Fullscreen API implementation. 

The attack, disclosed as part of the Year of Browser Bugs (YOBB) project, enables cybercriminals to create virtually undetectable phishing campaigns that can steal login credentials and sensitive data from unsuspecting users. 

Unlike traditional BitM attacks, this new variant leverages fullscreen mode to completely hide malicious URLs, making it nearly impossible for even security-conscious users to identify the threat.

Safari Fullscreen Flaw

The newly discovered attack exploits a fundamental flaw in Safari’s implementation of the Fullscreen API, which lacks adequate visual notifications when users enter fullscreen mode. 

While other browsers like Chrome, Firefox, and Edge display warning messages when fullscreen mode is activated, Safari only shows a brief swipe animation without any explicit messaging. 

This design weakness allows attackers to trigger fullscreen mode through seemingly innocent interactions, such as clicking a fake login button embedded in a malicious webpage.

The attack leverages the noVNC remote access framework, which creates an attacker-controlled browser session inside the victim’s window. 

When combined with the Fullscreen API, the malicious content can occupy the entire screen real estate, effectively masking any indicators that might alert users to the deception. 

SquareX researchers noted that “Safari users are especially vulnerable to this attack as there is no clear visual indicator of users entering fullscreen”.

The Fullscreen BitM attack operates by exploiting the loose specifications of the Fullscreen API, which only requires that “the user has to interact with the page or a UI element in order for this feature to work”. 

Attackers can embed any clickable element in their phishing pages that triggers the requestFullscreen() method when activated. The attack sequence typically follows this pattern:

Once triggered, the attack displays a fullscreen window that perfectly mimics legitimate login pages, complete with authentic-looking URLs in the address bar. 

The victim believes they are interacting with a genuine service while actually providing credentials to an attacker-controlled environment. 

This technique represents a significant evolution from traditional BitM attacks, which previously suffered from the limitation of visible malicious URLs in the parent window.

The discovery has profound implications for enterprise security, as existing endpoint detection and response (EDR) solutions lack the capability to monitor browser-based activities effectively. 

SquareX researchers emphasized that “EDRs have zero visibility into the browser and are proven to be obsolete when it comes to detecting any BitM attack, much less its more advanced fullscreen variant”. 

This limitation extends to SASE/SSE security solutions, which can be bypassed through technologies like remote browser isolation and pixel pushing techniques.

Apple has been formally notified of the vulnerability but has indicated no plans to address the issue, stating that Safari’s Fullscreen API behavior is working as designed. 

This response highlights the challenge of addressing architectural vulnerabilities that exist by design rather than implementation errors. 

Security experts recommend that enterprises deploy browser-native security tools capable of monitoring in-browser activities directly, as traditional network and endpoint-level solutions remain blind to these sophisticated attack vectors.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar