1. Forum
  2. tqwNet
  3. TQW GENTECH

  • This worrying Apple Safari security bug could leave users wide op

    From TechnologyDaily@1337:1/100 to All on Friday, May 30, 2025 17:30:08
    This worrying Apple Safari security bug could leave users wide open to cyberattacks

    Date:
    Fri, 30 May 2025 16:28:00 +0000

    Description:
    Hackers can abuse the Safari Fullscreen API to steal login credentials, experts have warned.

    FULL STORY ======================================================================SquareX says hackers can abuse the Fullscreen API in Safari to trick people into running remote browsers The browser-in-the-middle attack is good for stealing login credentials Apple says guardrails are in place and will not pursue it further

    Fullscreen API, a functionality in the Apple Safari browser which allows web developers to present specific elements in fullscreen mode, has a vulnerability that is being abused in convincing password theft attacks, experts have warned.

    Security researchers SquareX claim to have observed an increase in use in
    this type of attack, which leverages the browser-in-the-middle (Bitm) technique.

    Essentially, victims get tricked into interacting with a remote browser thats under the attackers control. Since the browser is in full-screen mode, user interface (UI) and system elements are hidden, making spotting the attack somewhat more difficult. Guardrails in place

    As a result, the victims log into different accounts in a remote browser, thinking theyre doing it on their own device.

    They still log in, but the process is done on the attackers machine, which allows them to harvest login credentials, authentication cookies, and more.

    SquareXs research team has observed multiple instances of the browsers FullScreen API being exploited to address this flaw by displaying a
    fullscreen BitM window that covers the parent windows address bar, as well as a limitation specific to Safari browsers that makes fullscreen BitM attacks especially convincing, the researchers said in the report.

    The limitations specific to Safari browsers the researchers mentioned are apparently about notifications, since the Apple browser allegedly doesnt properly alert users when a browser window enters fullscreen mode.

    The researchers said that competing browsers, such as Chromium-based ones, or Firefox, show an alert whenever fullscreen is active. While they might still miss the alert, the chances are smaller compared to Safari, where there is no alert. Instead, the only signal is a swipe animation that, as the researchers claim, can easily be missed.

    "While the attack works on all browsers, fullscreen BiTM attacks are particularly convincing on Safari browsers due to the lack of clear visual cues when going fullscreen," SquareX concluded.

    The researchers also said they reached out to Apple, who decided not to
    pursue it further - as apparently, the animation is signal enough.

    Via BleepingComputer You might also like This ancient browser security flaw affecting Safari, Chrome and Firefox is finally being fixed Take a look at
    our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/this-worrying-apple-safari-security-bug -could-leave-users-wide-open-to-cyberattacks


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)