Web API Allows Phishing Attack

  /     /     /  
Publicated : 22/11/2024   Category : security


Web API Allows Phishing Attack


A recent addition to HTML5, the Fullscreen API, appears to be easily abused.



11 Security Sights Seen Only At Black Hat (click image for larger view and for slideshow)
A proof-of-concept phishing attack designed by a Stanford computer science graduate student offers a reminder that new Web technology can reinvigorate old risks.
Feross Aboukhadijeh, a Web designer, developer, and computer security researcher, has developed a way to spoof websites using the relatively new HTML5 Fullscreen API. As its name suggests, the API allows Web developers to present content in full-screen mode, without the distractions of Web browser interface elements.
Aboukhadijeh has
published details of the attack
on his website, which includes a link that opens a fake Bank of America page to demonstrate the technique. The attack uses the Fullscreen API to hide the interface elements of the users browser--the chrome and the URL address bar--beneath an image of those interface elements. This prevents the user from knowing which website he is visiting.
Browser vendors have been aware of the potential for using this API for spoofing since it was first proposed. The
Fullscreen API specification
includes a Security and Privacy Considerations section that advises browser makers to implement an overlay element that tells the end user when full-screen mode has been initiated. This is to prevent a site from spoofing the end user by recreating the user agent or even operating system environment when fullscreen, the specification states.
[ Read
Why Huawei Has Congress Worried
. ]
Unfortunately, Apples Safari browser, version 6.01 and later, provides little or no sign that full-screen mode has been activated. Google Chrome, version 22 and later, offers some notice, though as Aboukhadijeh observes, the notification is pretty subtle and easily missed. Mozilla Firefox, version 10 and later, alerts the user with a conspicuous notification.
Microsoft Internet Explorer 10 does not presently support the HTML5 Fullscreen API, although IE under Windows 8s Metro interface is always full screen. Microsoft confronted the issue of browser UI abuse in 2004 and placed constraints on chromeless popup windows in its Windows XP SP2 update to reduce the risk of spoofing.
Aboukhadijehs attack depends on social engineering rather than flawed code. Although its certainly less worrisome than a technical vulnerability that could allow the remote takeover of a computer, its also less easily fixed--human gullibility cant be patched and defining adequate notification for an interface change isnt as simple as modifying code to prevent a crash.
There are a variety of ways to deceive people online and the only way to mitigate that risk is constant vigilance. In Apples case, following the security recommendations in Fullscreen API specification would help, too.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Web API Allows Phishing Attack