A significant security vulnerability has been identified within Apple’s Safari web browser. This flaw could potentially expose users to highly deceptive phishing attacks.
The core issue lies in how a malicious website can manipulate Safari’s fullscreen mode. When a user enters fullscreen, Safari often hides many standard browser interface elements, including the critical address bar which displays the actual URL of the website being visited.
Exploiting this, an attacker can create a webpage that, upon entering fullscreen, displays content that mimics a legitimate website – such as a banking portal, email login page, or social media site – along with a fake URL bar. Because the real address bar is hidden by Safari in fullscreen, the user sees only the attacker’s crafted interface, making it extremely difficult to discern that they are not on the genuine site.
This technique is often referred to as a browser-in-the-middle attack. Users tricked into this scenario may unknowingly enter sensitive data, such as usernames, passwords, or financial details, directly into the attacker’s control, believing they are interacting with a trusted service. The ease with which the genuine address bar is obscured in fullscreen is the critical security flaw.
Security researchers brought this vulnerability to light, highlighting the potential for widespread abuse through convincing website spoofs.
Fortunately, Apple has taken action to address this security issue. A fix has been implemented and is available in recent software updates for macOS, iOS, and iPadOS.
To ensure your safety online, it is absolutely essential that you keep your Apple devices and your Safari browser updated to the latest available version. Always exercise caution when prompted to enter sensitive information. If you enter fullscreen on a website, be extra vigilant. Consider briefly exiting fullscreen mode to verify the true URL shown in the genuine address bar before proceeding with sensitive actions. Staying updated is your primary defense against such sophisticated phishing attacks.
Source: https://www.bleepingcomputer.com/news/security/apple-safari-exposes-users-to-fullscreen-browser-in-the-middle-attacks/
