YNOT – A computer science student has developed a proof-of-concept attack that exploits the FullScreen application programming interface in HTML5 to carry out phishing schemes in ways that have security experts on edge. Unlike many other attacks, the exploit relies on social engineering rather than faulty code.
Stanford University student Feross Aboukhadijeh, 21, proved the FullScreen API allows hackers to insert subtle, if malicious, code that can hijack an end-user’s browser, replacing it with a sort of overlay designed to steal private information or distribute malware.
In his demo, Aboukhadijeh used what appeared to be a legitimate link to the Bank of America website. Users who hovered over the link saw what appeared to be the correct URL destination in the bottom left corner of the screen, as they normally would. In reality, though, clicking the HTML link automatically launched FullScreen browsing, obscuring the actual URL to which the user was redirected. A redirection capable of obscuring actual URLs represents a serious phishing threat.
The fake FullScreen browser doesn’t match bookmarks, browser customizations, menu bars, or plugins — at least yet — so users paying attention might notice the sneaky switch. Less savvy users might easily be hoodwinked into providing all kinds of sensitive information, especially if they believe they are interacting with a trusted site.
Developers of the major web browsers reportedly are scrambling for a solution that will warn users they have entered FullScreen mode and may be redirected to a site not of their choosing. Microsoft’s Internet Explorer 10 does not support the FullScreen API, so for once IE users are relatively safe — at least in the short term. Google Chrome version 22 and later offers some notice that a user has entered FullScreen mode, although the notice is easily overlooked. Apple’s Safari version 6.01 and later provides no notice. Only version 10 and later of Mozilla’s Firefox provides conspicuous notice.
