This worrying Apple Safari Security Bug can leave users wide open to cyber attacks
- Advertisement -
- Advertisement -
- Squarex says that hackers can abuse the full screen API in Safari to mislead people to run external browsers
- The browser-in-the-middle attack is good for stealing login details
- Apple says that guardrails are present and will not pursue it
Fullscreen API, a functionality in the Apple Safari browser With which web developers can present specific elements in full screen mode, has a vulnerability that is abused in convincing password Theft attacks have warned experts.
Security researchers Squarex claim to have observed an increase in use in this type of attack that uses the browser-in-the-midden (Bitm) technology.
In essence, victims are misled to communicate with an external browser that is under the control of the attackers. Because the browser is in the mode on full screen, the user interface (onion) and system elements are hidden, making spotting the attack a little more difficult.
Guardrails in place
As a result, the victims log in to different accounts in an external browser, thinking that they are doing it on their own device.
They are still logging in, but the process is done on the attacker’s machine, so that they can harvest login data, authentication cookies and more.
“The Squarex research team has observed several authorities of the fullscreen API of the browser that is exploited to tackle this error by a bitm window on full screen that the address bar of the parent window includes, as well as a limitation that is specific to Safari -Browsers who have seams in the report.
The “limitations that are specific to Safari browsers” who apparently go to the aforementioned researchers about notifications, because the Apple browser is said to not properly warn users when a browser window enters the full screen mode.
The researchers said that competing browsers, such as chrome -based, or Firefox, show a warning when the full screen is active. Although they may still miss the warning, the opportunities are smaller compared to Safari, where there is no alert. Instead, the only signal is a Swipe animation that, as the researchers claim, can be easily missed.
“While the attack on all browsers is working, BitM attacks on full screen are particularly convincing for Safari browsers due to the lack of clear visual instructions at the full screen,” Squarex concluded.
The researchers also said that they contacted Apple, who decided not to pursue it further – as apparently the animation is sufficient signal.
Maybe you like it too
- Advertisement -