BitM Attack Exploits Safari Flaw to Steal User Login Data

Security researchers at SquareX have uncovered a sophisticated evolution of Browser-in-the-Middle (BitM) attacks that exploits Safari’s Fullscreen API to create virtually undetectable credential theft campaigns.

This new “Fullscreen BitM” technique addresses a critical weakness in traditional BitM attacks by completely hiding malicious URLs from victims, making it particularly effective against security-aware users who typically check address bars before entering sensitive information.

The new Fullscreen BitM attack represents a significant advancement over traditional Browser-in-the-Middle techniques, which according to MITRE, involve adversaries exploiting “inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim’s browser to the adversary’s system”.

While conventional BitM attacks suffered from a critical flaw—the parent window still displayed a malicious URL that could alert security-conscious users—this new variant completely eliminates that telltale sign.

The attack begins when victims land on phishing sites that impersonate popular applications through social engineering tactics, such as fake Google advertisements targeting services like Figma.

When victims click what appears to be a legitimate login button, the action triggers a transient user activation that calls the browser’s requestFullscreen() method, opening a BitM window displaying an attacker-controlled remote browser in fullscreen mode.

This fullscreen window completely covers the parent window, leaving no suspicious URLs visible when victims enter their credentials.

The technique has already been observed in real-world attacks, including campaigns targeting Counter-Strike 2 gamers through cryptocurrency and skin giveaways, where compromised Steam accounts were sold on black markets for up to $300,000.

Safari vulnerability

Safari browsers are particularly vulnerable to Fullscreen BitM attacks due to a critical design limitation in how they handle fullscreen transitions.

While Firefox and Chromium-based browsers like Chrome and Edge display messaging notifications when fullscreen mode is activated, Safari provides virtually no visual indication of the transition.

Firefox offers the clearest messaging, including details about the domain entering fullscreen mode, though this notification disappears after approximately four seconds.

Chrome also displays notifications, but these can be obfuscated using dark color schemes that match the warning’s appearance.

In contrast, Safari’s only indication of entering fullscreen mode is a subtle “swipe” animation that most users don’t associate with fullscreen activation.

When SquareX researchers disclosed this vulnerability to Safari, they received a “wontfix” response claiming that the Fullscreen API methods and swipe animations are working as intended, indicating no planned patches for this security vulnerability.

Protection Strategies

The discovery highlights a fundamental shift in web-based attacks, where cybercriminals are moving beyond targeting browser bugs toward exploiting legitimate browser functionalities.

Traditional enterprise security tools, including Endpoint Detection and Response (EDR) systems, lack visibility into browser activities and cannot detect these sophisticated attacks.

Security experts noted that attackers can further evade detection by hosting parent sites on commonly whitelisted domains like AWS and Vercel, bypassing Secure Access Service Edge (SASE) and Security Service Edge (SSE) solutions.

This limitation has sparked development of browser-native security solutions that can access critical browser metrics including DOM changes, user interactions, and site permissions necessary to detect Fullscreen BitM attacks.

The research underscores the urgent need for enhanced browser security controls and user education about these evolving threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.