The Good Tech Companies - Fullscreen BitM Attack Discovered By SquareX Exploits Browser Fullscreen APIs To Steal Credentials
Episode Date: May 29, 2025This story was originally published on HackerNoon at: https://hackernoon.com/fullscreen-bitm-attack-discovered-by-squarex-exploits-browser-fullscreen-apis-to-steal-credentials. ... A common BitM attack involves displaying the legitimate login page of an enterprise SaaS Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity. You can also check exclusive content about #cybersecurity, #squarex, #press-release, #cybernewswire, #squarex-announcement, #cyber-security-awareness, #cybercrime, #good-company, and more. This story was written by: @cybernewswire. Learn more about this writer by checking @cybernewswire's about page, and for more stories, please visit hackernoon.com. A new attack on Safari uses a flaw in the Fullscreen API to create a fullscreen BitM window. Safari users are especially vulnerable to this attack as there is no clear visual indicator of users entering fullscreen. Existing security solutions fail to detect the attack and are proven to be obsolete when it comes to detecting any BitM attack.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
Fullscreen BitM attack discovered by Square X exploits browser fullscreen APIs to steal credentials
by CyberNewswire.
Palo Alto, California, May 29, 2025, CyberNewswire, Today, Square X released new threat
research on an advanced browser in the middle, Bit.M, attack targeting Safari users. As highlighted by Mandiant, adversaries have been increasingly using Bit.M attacks
to steal credentials and gain unauthorized access to enterprise SaaS apps. Bit.M attacks
work by using a remote browser to trick victims into interacting with an attacker-controlled
browser via a pop-up window in the victim's browser.
A common Bit.M attack involves displaying the legitimate login page of an enterprise SaaS
app, deceiving victims into divulging credentials and other sensitive information thinking that
they are conducting work on a regular browser window.
Despite this, one flaw that BitM attacks always had was the fact that the parent window would
still display the malicious URL, making the attack less convincing to a security-aware
user.
However, as part of the year of browser bugs, Yobb Project, SquareEx's research team highlights
a major Safari-specific implementation flaw using the Fullscreen API.
When combined with Bit.M, this vulnerability can be exploited to create an extremely convincing
Fullscreen Bit.M attack, where the Bit.M window opens up in fullscreen mode such that no suspicious URLs from the parent window is seen.
Safari users are especially vulnerable to this attack as there is no clear visual indicator
of users entering fullscreen.
We have disclosed this vulnerability to Safari and were regrettably informed that there is
no plan to address the issue.
The current fullscreen API specifies that
the user has to interact with the page or a UI element
in order for this feature to work.
However, what the API does not specify
is what kind of interaction is required
to trigger fullscreen mode.
Consequently, attackers can easily embed any button,
such as a fake login button,
in the pop-up that calls the fullscreen API when clicked.
This triggers a fullscreen bit-em window that perfectly mimics a legitimate login button in the pop-up that calls the fullscreen API when clicked. This triggers a fullscreen bitm window that perfectly mimics a legitimate login page,
including the URL displayed on the address bar.
Greater than, the fullscreen bitm attack highlights architectural and design flaws in
greater than browser APIs, specifically the fullscreen API, says the researchers at Greater
Than Square X. Users can unknowingly click on a fake button and trigger a greater than full screen
bitm window, especially in Safari, where there is no notification greater
than when the user enters full screen mode.
Users that typically rely on URLs to greater than verify the legitimacy
of a site will have zero visual cues that they are on and greater
than attacker controlled site.
With how advanced bitm is becoming, it is critical greater than for enterprises to have browser native security measures to stop
attacks that greater than can no longer be visually identified by even the most security
aware greater than individuals. While Bit.M attacks have primarily been used to steal
credentials, session tokens and SaaS application data, the fullscreen variant has the potential
to lead Toven more damage by making the attack imperceptible for most ordinary enterprise users.
For instance, the landing site may have a button that claims to link to a government
resource and opens up to a fake government advisory page to spread misinformation and
even gather sensitive company and personally identifiable information, p.
The victim can even subsequently open additional tabs in the attacker-controlled
window, allowing adversaries to fully monitor the victim's browsing activity.
Fullscreen bit.m window displaying legitimate Figma login page and URL in the address bar,
disclaimer. Figma is used as an illustrative example, or other browsers vulnerable to fullscreen
bit.m attacks too. Unlike Safari, Firefox, Chrome, Edge
and other Chromium-based browsers display OUSER message whenever the full-screen mode
is toggled. However, this notification is extremely subtle and momentary in nature.
Most employees might not notice or register this as a suspicious sign. Additionally, the
attacker can also use dark modes and colors to make the notification even less noticeable.
By contrast, Safari does not have a messaging requirement.
The only visual sign of entering fullscreen mode is a, swipe, animation.
Thus, while the attack shows no clear visual cues in Safari browsers,
other browsers are also exposed to the same fullscreen API vulnerability that makes the full screen BIDM attack possible.
Existing security solutions fail to detect full screen BITM attacks.
Unfortunately, EDRs have zero visibility into the browser and are proven to be obsolete when it comes to detecting any BIDM attack,
much less its more advanced full screen variant.
Additionally, orchestrating the attack with technologies such as remote browser and pixel
pushing will also allow it to bypass SASC, SSE detection by eliminating any suspicious
local traffic.
As a result, without access to rich browser metrics, it is impossible for security tools
to detect and mitigate fullscreen bit-M attacks.
Thus, as phishing attacks become more sophisticated to exploit architectural limitations of browser
APIs that are either unfixable or will take significant time to fix by browser providers,
it is critical for enterprises to rethink their defense strategy to include advanced
attacks like fullscreen BIDM in the browser.
To learn more about this security research, users can visit https://sqrx.com, fullscreen BITM, Square X's research team is also holding a webinar
on June 5th 10 am PT, 1 pm Eastern Time to dive deeper into the full attack chain.
To register, users can click here.
About Square X Square X is a pioneering browser detection and response, BDR, that empowers organizations to proactively
detect, mitigate, and effectively threat-hunt client-side web attacks.
Square X provides critical protection against a wide range of browser security threats,
including malicious browser extensions, advanced spearfishing, browser-native ransomware, GenAIDLP,
and more.
Unlike legacy security approaches and cumbersome
enterprise browsers, Square X seamlessly integrates with users' existing consumer
browsers, ensuring enhanced security without compromising user experience or
productivity. By delivering unparalleled visibility and control directly within
the browser, Square X enables security leaders to reduce their attack surface,
gain actionable intelligence,
and strengthen their enterprise cybersecurity posture against Theon West's threat vector,
the browser.
Users can find out more on www.sqrx.com.
The fullscreen Bit-M attack disclosure is part of the Year of Browser Bugs project.
Every month, Square X's research team releases a major web attack that focuses on architectural limitations of the browser and incumbent security solutions.
Previously disclosed attacks include browser sync jacking, polymorphic extensions and browser native ransomware.
To learn more about Square-X's BDR, users can contact Square-X at founder at sqr x com for press inquiries on this disclosure or the year of browser bugs
users can email at junus at sqr x com contact head of pr junus liu square x junus at sqr x
com this story was published as a press release by cybernewswire under hacker noon's business
blogging program thank you for listening to this hacker noon story read by artificial intelligence