Full Report
A weakness in Apple's Safari web browser allows threat actors to leverage the fullscreen browser-in-the-middle (BitM) technique to steal account credentials from unsuspecting users. [...]
Analysis Summary
# Vulnerability: Safari Fullscreen Mode Absence Enables Convincing Browser-in-the-Middle Attacks
## CVE Details
- CVE ID: N/A (Specific CVE not mentioned in the provided text)
- CVSS Score: N/A (Severity score not provided)
- CWE: N/A
## Affected Systems
- Products: Apple Safari
- Versions: All affected versions; Apple responded with a "wontfix" status, suggesting the issue persists across recent versions.
- Configurations: Any configuration where a user is tricked into clicking a malicious link that initiates a login flow mimicking a legitimate service (e.g., via sponsored ads, social media).
## Vulnerability Description
This vulnerability relates to Apple Safari's handling of the request for fullscreen mode within a browser window. Attackers can exploit this by redirecting a user to a malicious link that loads a deceptive login page (e.g., impersonating Figma). When the user interacts with the fake login prompt, the attacker-controlled hidden browser window activates and enters fullscreen mode *without displaying a clear visual warning* to the user, unlike Chromium-based browsers (Chrome, Edge) and Firefox. Safari only shows a subtle "swipe" animation. This allows the malicious fullscreen window to completely overlay the genuine website content, effectively hiding the actual URL and enabling a convincing Browser-in-the-Middle (BitM) phishing attack where the user enters credentials into the attacker's controlled interface. The attack relies on users missing the subtle fullscreen indicator.
## Exploitation
- Status: Conceptual/Proof of Concept demonstrated by researchers (SquareX). Not explicitly stated as 'exploited in the wild' based on the text.
- Complexity: Low (Requires tricking the victim into clicking a malicious link, which can be facilitated via advertising).
- Attack Vector: Network (User interaction via malicious link redirection).
## Impact
- Confidentiality: High (Credentials for target services can be harvested directly).
- Integrity: Medium (If the compromised session/account has integrity controls).
- Availability: Low (Direct impact on service availability is minimal, focused on credential theft).
## Remediation
### Patches
- No specific patched version provided. Apple responded with a "wontfix" indicating they do not currently plan to release a patch that adds a clear warning.
### Workarounds
- Users must remain visually vigilant for the subtle "swipe" animation indicating a change to fullscreen mode when interacting with login prompts.
- Attackers must first trick the victim into clicking a link that initiates the deceptive process. Avoiding suspicious links, especially those delivered via sponsored ads, mitigates initial access.
## Detection
- **Indicators of Compromise:** Unexpected entry into fullscreen mode when interacting with login prompts, or observation of the subtle fullscreen transition animation.
- **Detection Methods and Tools:** Standard EDR or SASE/SSE solutions are noted *not* to trigger warnings as the attack abuses standard browser APIs (i.e., fullscreen API). Reliance must be on user vigilance or process monitoring that watches for API abuse leading to fullscreen mode.
## References
- Vendor advisories: Apple provided a "wontfix" response.
- Relevant links - defanged:
- Researchers' original findings context: hxxps://www.bleepingcomputer.com/news/security/apple-safari-exposes-users-to-fullscreen-browser-in-the-middle-attacks/