Introduction

A significant security vulnerability in Apple’s Safari web browser has given rise to a sophisticated phishing technique known as the Fullscreen Browser-in-the-Middle (BitM) attack. This method [3] [5] [6] [8], identified by SquareX [8], exploits a flaw in Safari’s Fullscreen API, making it particularly deceptive and challenging to detect.

Description

A critical security flaw in Apple’s Safari web browser has led to the emergence of a new phishing technique known as the Fullscreen Browser-in-the-Middle (BitM) attack, identified by SquareX [8]. This advanced method exploits a vulnerability in Safari’s Fullscreen API, which lacks adequate visual indicators when entering fullscreen mode [4] [5] [6], making it particularly deceptive for users [5]. Unlike earlier phishing tactics that relied on typosquatting or blatant URL spoofing, this variant enhances traditional BitM methods by completely hiding the URL, complicating detection efforts [2] [3]. The subtle “swipe” animation that accompanies the transition to fullscreen can easily be overlooked, allowing cybercriminals to create convincing fullscreen windows that mimic legitimate login pages while concealing the malicious URL from view [5] [6].

Attackers can trigger fullscreen mode by embedding fake login buttons in pop-up windows that activate the Fullscreen API upon interaction [6]. They often utilize tools like noVNC to overlay a remote browser session on the victim’s browser [7], enabling them to capture credentials while users believe they are accessing their accounts normally. The typical sequence involves users clicking malicious links from ads or social media [7], being redirected to a convincing fake website [7], and then clicking a login button that activates the hidden BitM window [7]. This tactic not only facilitates credential theft but also poses the risk of more severe consequences [6], such as the spread of misinformation through fake government advisory pages or the gathering of sensitive personal and company information. Victims are often lured to phishing sites impersonating trusted services [1], where the attacker’s browser takes over the entire screen without alerting the user [1].

In contrast [1] [7], Chromium-based browsers like Chrome and Edge [1], as well as Firefox [1], provide clearer notifications when entering fullscreen mode [3] [4] [5] [6] [7], making users of these browsers less susceptible to such attacks. While the Fullscreen API vulnerability exists across multiple browsers [5], Safari’s lack of messaging makes it uniquely susceptible to this type of attack [5]. Current endpoint detection and response (EDR) solutions struggle with visibility into browser activities [2] [4], rendering them ineffective against both standard and fullscreen BitM attacks [6]. The use of remote browser technologies and pixel pushing further complicates detection efforts by masking suspicious local traffic [2]. Additionally, the ability for victims to open new tabs within the attacker-controlled window gives adversaries the capability to monitor all browsing activity [2].

As phishing techniques continue to evolve and exploit browser vulnerabilities [4] [5] [6], it is essential for enterprises to reassess their security strategies to address the risks posed by Fullscreen BitM attacks [4], which can lead to the theft of sensitive information or the spread of misinformation [4]. To mitigate the risk of such phishing tactics [1], users should exercise caution when interacting with fullscreen login prompts, especially those linked from ads or social media [1]. It is advisable to access services directly rather than through potentially malicious links [3]. Enterprises are encouraged to implement browser-native security tools to monitor in-browser activities [1], as standard security solutions [7], such as EDRs or SASE/SSE [7], are ineffective against these attacks that exploit standard browser APIs rather than malware [7]. Apple has responded to this vulnerability with a “wontfix” decision [7], asserting that the existing animation sufficiently indicates the mode change [7].

Conclusion

The Fullscreen BitM attack represents a significant threat to users of Safari, highlighting the need for enhanced security measures. As phishing tactics become more sophisticated, it is crucial for both individuals and enterprises to remain vigilant and proactive in their security practices. Users should be cautious of fullscreen prompts and prefer direct access to services, while enterprises should consider adopting browser-native security tools to better monitor and protect against such vulnerabilities. Apple’s decision not to address this flaw underscores the importance of user awareness and alternative security strategies in mitigating potential risks.

References

[1] https://cyberinsider.com/apple-safari-users-vulnerable-to-stealthy-browser-attacks/
[2] https://cyberdefensewire.com/fullscreen-bitm-attack-discovered-by-squarex-exploits-browser-fullscreen-apis-to-steal-credentials-in-safari/
[3] https://osintcorp.net/new-browser-exploit-technique-undermines-phishing-detection/
[4] https://cybertechnologyinsights.com/technology/squarex-uncovers-bitm-attack-using-safari-fullscreen-api-to-steal-credentials/
[5] https://securityboulevard.com/2025/05/fullscreen-bitm-attack-discovered-by-squarex-exploits-browser-fullscreen-apis-to-steal-credentials-in-safari/
[6] https://www.cybersecurity-insiders.com/fullscreen-bitm-attack-discovered-by-squarex-exploits-browser-fullscreen-apis-to-steal-credentials-in-safari/
[7] https://clickcontrol.com/cyber-threat/alert-safari-vulnerability-exposes-users-to-credential-theft-through-fullscreen-attacks/
[8] https://www.infosecurity-magazine.com/news/browser-exploit-technique/