Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/10/2012
02:33 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Web API Allows Phishing Attack

A recent addition to HTML5, the Fullscreen API, appears to be easily abused.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
A proof-of-concept phishing attack designed by a Stanford computer science graduate student offers a reminder that new Web technology can reinvigorate old risks.

Feross Aboukhadijeh, a Web designer, developer, and computer security researcher, has developed a way to spoof websites using the relatively new HTML5 Fullscreen API. As its name suggests, the API allows Web developers to present content in full-screen mode, without the distractions of Web browser interface elements.

Aboukhadijeh has published details of the attack on his website, which includes a link that opens a fake Bank of America page to demonstrate the technique. The attack uses the Fullscreen API to hide the interface elements of the user's browser--the chrome and the URL address bar--beneath an image of those interface elements. This prevents the user from knowing which website he is visiting.

Browser vendors have been aware of the potential for using this API for spoofing since it was first proposed. The Fullscreen API specification includes a "Security and Privacy Considerations" section that advises browser makers to implement an overlay element that tells the end user when full-screen mode has been initiated. "This is to prevent a site from spoofing the end user by recreating the user agent or even operating system environment when fullscreen," the specification states.

[ Read Why Huawei Has Congress Worried. ]

Unfortunately, Apple's Safari browser, version 6.01 and later, provides little or no sign that full-screen mode has been activated. Google Chrome, version 22 and later, offers some notice, though as Aboukhadijeh observes, the notification is "pretty subtle and easily missed." Mozilla Firefox, version 10 and later, alerts the user with a conspicuous notification.

Microsoft Internet Explorer 10 does not presently support the HTML5 Fullscreen API, although IE under Windows 8's Metro interface is always full screen. Microsoft confronted the issue of browser UI abuse in 2004 and placed constraints on chromeless popup windows in its Windows XP SP2 update to reduce the risk of spoofing.

Aboukhadijeh's attack depends on social engineering rather than flawed code. Although it's certainly less worrisome than a technical vulnerability that could allow the remote takeover of a computer, it's also less easily fixed--human gullibility can't be patched and defining adequate notification for an interface change isn't as simple as modifying code to prevent a crash.

There are a variety of ways to deceive people online and the only way to mitigate that risk is constant vigilance. In Apple's case, following the security recommendations in Fullscreen API specification would help, too.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/15/2012 | 9:19:07 AM
re: Web API Allows Phishing Attack
I love reading about security exploits in information technology. Way to go Doubleheader for locating and sharing the exploit and now it is being properly addressed. With small warning that are easily overlooked it is surprising that these are not more common today than ever before due to the presence of HTML5 on the web. Disappointing to read that this was clearly addressed under securities and not brought more to the forefront as a much larger vulnerability than outlined.

Paul Sprague
InformationWeek Contributor
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.