New Browser Exploit Technique Undermines Phishing Detection

June 4, 2025

Investigators studying common internet browsers looking for security flaws have uncovered a new potential weapon in the arsenal of phishing-based threat actors that is especially dangerous because it requires no outside interference, bugs or vulnerabilities. This attack exploits a basic element of the browser API, affecting all browsers to some degree but most particularly Safari browsers. The attack is called a Fullscreen Browser-in-the-Middle (BitM) attack, and functions similarly to other BitM attacks in basic principle but additionally leverages the fullscreen function that most browsers possess.

The actual flaw being leveraged is very simple. When the Fullscreen API is invoked and the target user enters fullscreen mode on their browser, browser elements like the address window are no longer visible. In this state, if the target user is redirected from what they believe to be a legitimate website to an attacker-controlled domain, they have no way of knowing it. The reason Safari is more vulnerable to this attack than other browsers is that Safari has no prompting function to alert the user when they are entering fullscreen mode. On a Chromium-based browser, including Chrome and Microsoft Edge, there is built in functionality requiring a message prompt when the browser enters fullscreen mode. In the case of any browser, while entering fullscreen mode does require an express user interaction, social engineering can be employed to make the user perform this action, such as tying a button to log-in to entering fullscreen.

In order to leverage this flaw, the process is simple. The threat actor creates a fake SaaS login page and pushes it via malvertising or search engine poisoning. A user, thinking the page is legitimate, uses it to log into their account. The attacker ties the button to log in to requesting fullscreen while simultaneously opening a new attacker-controlled domain, masking the transition because the user cannot see the new URL in fullscreen mode. If the user then continues to login, the attacker gets access to the account, and the user is logged into the legitimate service none the wiser that their credentials have just been stolen.

This attack is difficult to mitigate, since EDRs have no visibility in the browser and there are no malicious files to detect, since what is being exploited is an architectural flaw in the browser itself. Hopefully, in the future this flaw will be mended, but in the meantime, users will have to exercise special vigilance when accessing services via advertisements or search engines. It is recommended in general to avoid these, given that they are easy places for threat actors to lurk.

More from Blackwired

May 28, 2025

Scattered Spider snared financial orgs before targeting shops in Britain, America

Scattered Spider resurfaces, hitting UK/US retailers; next targets may be crypto firms via social engineering attacks.

Read more
May 21, 2025

Pushing passkeys forward: Microsoft’s latest updates for simpler, safer sign-ins

Passwords are flawed; Microsoft backs passkeys—biometrics or codes—for better security and a passwordless future.

Read more
May 14, 2025

Using Blob URLs to Bypass SEGs and Evade Analysis

Hackers use Blob URIs to host phishing pages locally, bypassing detection and exfiltrating credentials undetected.

Read more

© 2024 Blackwired. All Rights Reserved.