Full Report
PALO ALTO, California, 29th May 2025, CyberNewsWire
Analysis Summary
# Vulnerability: Fullscreen Browser-in-the-Middle (BitM) Attack in Safari
## CVE Details
- CVE ID: Not assigned in the provided text, this is a newly disclosed architectural flaw.
- CVSS Score: Not assigned in the provided text. (Likely High severity due to convincing phishing potential)
- CWE: Missing in the provided text (Related to **CWE-20: Improper Input Validation** in API/UI handling context or **CWE-642: External Control of Assumed-Immutable Web Attributes ('HTTP Header Injection' variant in API usage context)**, specifically concerning the Fullscreen API behavior).
## Affected Systems
- Products: Apple Safari
- Versions: All versions susceptible to the Fullscreen API implementation lack of clear visual indication upon entry to fullscreen mode.
- Configurations: Any configuration where the Fullscreen API can be triggered via user interaction on a page.
## Vulnerability Description
Researchers at SquareX disclosed an architectural flaw in **Apple Safari's implementation and adherence to the Fullscreen API specification**. While the API generally requires user interaction to enter fullscreen mode, it lacks specification on *what* interaction is required. Attackers can combine this with a Browser-in-the-Middle (BitM) attack. The attacker uses a remote browser tricked onto the victim's screen via a pop-up. Critically, Safari does not display a clear visual notification or prompt when entering fullscreen mode (only a subtle swipe animation). This allows the attacker to trigger the BitM pop-up into a **perfectly convincing fullscreen mode**, displaying the legitimate URL in the address bar of the fake window. This removes the primary visual indicator attackers previously relied upon (the malicious parent window URL) to expose BitM attacks.
Other browsers (Chrome, Firefox, Edge) *do* display a notification upon entering fullscreen, although this notification is described as "subtle and momentary."
## Exploitation
- Status: **PoC available** (Demonstrated via research project)
- Complexity: **Low to Medium** (Relies on established BitM techniques combined with API manipulation)
- Attack Vector: **Network** (Via a malicious website/pop-up redirect/trick)
## Impact
- Confidentiality: **High** (Allows for theft of credentials, session tokens, and PII/sensitive company data)
- Integrity: **High** (Allows manipulation of user interaction and potentially spread of misinformation via fake landing pages)
- Availability: **Low to Medium** (Indirect impact via service compromise, direct impact on user trust)
## Remediation
### Patches
- **No official patch or plan announced by Apple for Safari** at the time of disclosure.
### Workarounds
- **Enterprise Mitigation (Recommended by Researchers):** Implement browser-native security measures (such as Browser Detection and Response/BDR solutions) capable of monitoring rich browser metrics, as traditional EDR/SASE solutions lack visibility into these client-side API interactions.
- **User Awareness:** Users must be highly suspicious of unexpected fullscreen pop-ups, although this is difficult as the visual cues that normally expose the attack are missing in Safari.
- **General Browser Mitigation (For non-Safari browsers):** While the attack is most effective in Safari due to the lack of a prompt, users in other browsers should be aware that fullscreen toggles *should* trigger a notification, even if subtle.
## Detection
- **Indicators of Compromise (IoCs):** In Safari, monitoring for unexpected transition to fullscreen mode without explicit user acknowledgment, especially during authentication workflows.
- **Detection Methods and Tools:** Security tools (EDR/SASE) are reported as having **zero visibility** into this attack vector as it occurs entirely within controlled browser APIs, bypassing local traffic monitoring. Detection requires specialized **Browser Detection and Response (BDR)** solutions that monitor client-side browser metrics.
## References
- Vendor Advisories: None specific to a patch, only disclosure from SquareX.
- Relevant links - defanged:
- sqrx com/fullscreen-bitm
- sqrx com/research
- cloud google com/blog/topics/threat-intelligence/session-stealing-browser-in-the-middle