Blog Details

Posted in: Blog, Posted On: Jan 28, 2014, Posted By: cyberinfoadmin

Advance Phishing Attacks using HTML5 Full-screen API


Do your ever use YouTube Instant Search engine (a really fast way to search YouTube) that was developed by a 21-year-old developer, named – Feross Aboukhadijeh in 2012? Chad Hurley, CEO and co-founder of YouTube, was so impressed that he immediately offered him a job at YouTube. He, himself is a web developer, designer, computer security researcher.

Recently, he has developed an attack concept that exploits the full-screen application programming interface in HTML5 in order to carry out advance phishing attacks. The HTML5 “Fullscreen API” allows web developers to display web contents in full-screen mode, that is, filling-up the display screen completely.

Fullscreen API is perhaps known for its spoofing potential, leading to major browser vendors canvassing for the implementation of an overlay to notify users when full-screen is activated.

Feross demonstrated how the Fullscreen API can aid phishing attack portals appear rather innocuous to the end users, by utilizing the API to hide the interface elements of the users’ browser, thereby preventing the user from knowing the URL of the actual website visited.

Unfortunately, Apple’s Safari browser, version 6.01 and later, provides little or no sign that full-screen mode has been activated. Google Chrome, version 22 and later, offers some notice, though as Aboukhadijeh observes, the notification is “pretty subtle and easily missed.” Mozilla Firefox, version 10 and later, alerts the user with a conspicuous notification.

Aboukhadijeh’s attack depends on social engineering rather than flawed code. There are a variety of ways to deceive people online and the only way to mitigate that risk is constant vigilance. The demo’s source code is also available on GitHub.