PALO ALTO, California, Might twenty ninth, 2025, CyberNewsWire
As we speak, SquareX launched new risk analysis on a sophisticated Browser-in-the-Center (BitM) assault focusing on Safari customers. As highlighted by Mandiant, adversaries have been more and more utilizing BitM assaults to steal credentials and acquire unauthorized entry to enterprise SaaS apps. BitM assaults work through the use of a distant browser to trick victims into interacting with an attacker-controlled browser through a pop-up window within the sufferer’s browser. A typical BitM assault includes displaying the respectable login web page of an enterprise SaaS app, deceiving victims into divulging credentials and different delicate info pondering that they’re conducting work on a daily browser window.
Regardless of this, one flaw that BitM assaults at all times had was the truth that the mum or dad window would nonetheless show the malicious URL, making the assault much less convincing to a security-aware person. Nonetheless, as a part of the 12 months of Browser Bugs (YOBB) venture, SquareX’s analysis group highlights a serious Safari-specific implementation flaw utilizing the Fullscreen API. When mixed with BitM, this vulnerability could be exploited to create a particularly convincing Fullscreen BitM assault, the place the BitM window opens up in fullscreen mode such that no suspicious URLs from the mum or dad window is seen. Safari customers are particularly susceptible to this assault as there isn’t a clear visible indicator of customers getting into fullscreen. We have now disclosed this vulnerability to Safari and have been regrettably knowledgeable that there isn’t a plan to handle the difficulty.
The present Fullscreen API specifies that “the person has to work together with the web page or a UI component to ensure that this function to work.” Nonetheless, what the API doesn’t specify is what sort of interplay is required to set off fullscreen mode. Consequently, attackers can simply embed any button – corresponding to a faux login button – within the pop-up that calls the Fullscreen API when clicked. This triggers a fullscreen BitM window that completely mimics a respectable login web page, together with the URL displayed on the handle bar.
“The Fullscreen BitM assault highlights architectural and design flaws in browser APIs, particularly the Fullscreen API,” says the researchers at SquareX, “Customers can unknowingly click on on a faux button and set off a fullscreen BitM window, particularly in Safari the place there isn’t a notification when the person enters fullscreen mode. Customers that usually depend on URLs to confirm the legitimacy of a web site can have zero visible cues that they’re on an attacker-controlled web site. With how superior BitM is changing into, it’s important for enterprises to have browser-native safety measures to cease assaults that may not be visually recognized by even essentially the most safety conscious people.”
Whereas BitM assaults have primarily been used to steal credentials, session tokens and SaaS software knowledge, the fullscreen variant has the potential to result in much more harm by making the assault imperceptible for many abnormal enterprise customers. As an illustration, the touchdown web site could have a button that claims to hyperlink to a authorities useful resource and opens as much as a faux authorities advisory web page to unfold misinformation and even collect delicate firm and personally identifiable info (PII). The sufferer may even subsequently open further tabs within the attacker-controlled window, permitting adversaries to totally monitor the sufferer’s looking exercise.
Fullscreen BitM window displaying respectable Figma login web page and URL within the handle bar (Disclaimer: Figma is used as an illustrative instance)
Are different browsers susceptible to Fullscreen BitM assaults too?
In contrast to Safari, Firefox, Chrome, Edge and different Chromium-based browsers show a person message at any time when the full-screen mode is toggled. Nonetheless, this notification is extraordinarily delicate and momentary in nature – most staff could not discover or register this as a suspicious signal. Moreover, the attacker also can use darkish modes and colours to make the notification even much less noticeable. Against this, Safari doesn’t have a messaging requirement – the one visible signal of getting into fullscreen mode is a “swipe” animation. Thus, whereas the assault reveals no clear visible cues in Safari browsers, different browsers are additionally uncovered to the identical Fullscreen API vulnerability that makes the Fullscreen BitM assault potential.
Present safety options fail to detect Fullscreen BitM assaults
Sadly, EDRs have zero visibility into the browser and are confirmed to be out of date relating to detecting any BitM assault, a lot much less its extra superior fullscreen variant. Moreover, orchestrating the assault with applied sciences corresponding to distant browser and pixel pushing may even permit it to bypass SASE/SSE detection by eliminating any suspicious native visitors. Consequently, with out entry to wealthy browser metrics, it’s unattainable for safety instruments to detect and mitigate Fullscreen BitM assaults. Thus, as phishing assaults develop into extra refined to take advantage of architectural limitations of browser APIs which can be both unfixable or will take vital time to repair by browser suppliers, it’s important for enterprises to rethink their protection technique to incorporate superior assaults like Fullscreen BitM within the browser.
To be taught extra about this safety analysis, customers can go to https://sqrx.com/fullscreen-bitm.
SquareX’s analysis group can also be holding a webinar on June fifth, 10am PT/1pm ET to dive deeper into the complete assault chain. To register, customers can click on right here.
About SquareX
SquareX is a pioneering Browser Detection and Response (BDR) that empowers organizations to proactively detect, mitigate, and successfully threat-hunt client-side internet assaults. SquareX offers important safety in opposition to a variety of browser safety threats, together with malicious browser extensions, superior spearphishing, browser-native ransomware, genAI DLP, and extra. In contrast to legacy safety approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with customers’ current shopper browsers, guaranteeing enhanced safety with out compromising person expertise or productiveness. By delivering unparalleled visibility and management instantly inside the browser, SquareX allows safety leaders to scale back their assault floor, acquire actionable intelligence, and strengthen their enterprise cybersecurity posture in opposition to the latest risk vector – the browser. Customers can discover out extra on www.sqrx.com.
The Fullscreen BitM Assault disclosure is a part of the 12 months of Browser Bugs venture. Each month, SquareX’s analysis group releases a serious internet assault that focuses on architectural limitations of the browser and incumbent safety options. Beforehand disclosed assaults embrace Browser Syncjacking, Polymorphic Extensions and Browser-Native Ransomware.
To be taught extra about SquareX’s BDR, customers can contact SquareX at [email protected]. For press enquiries on this disclosure or the 12 months of Browser Bugs, customers can e mail at [email protected].
Contact
Head of PR
Junice Liew
SquareX
[email protected]
