Advance Phishing Attacks using HTML5 Fullscreen API

Do your ever use YouTube Instant Search engine (a really fast way to search YouTube) ? That was developed by a 21 years old developer name – Feross Aboukhadijeh in 2012. Chad Hurley, CEO and co-founder of YouTube, was so impressed that he immediately offered him a job at YouTube. He a web developer, designer, computer security researcher.

Advance Phishing Attacks using HTML5 Fullscreen API

Advance Phishing Attacks using HTML5 Fullscreen API

Recently he has developed an attack concept that exploits the fullscreen application programming interface in HTML5 in order to carry out advance phishing attacks. The HTML5 “Fullscreen API” allow web developers to display web contents in full-screen mode, that is, filling-up the display screen completely.

Fullscreen API is perhaps known for its spoofing potential, leading to major browser vendors canvassing for the implementation of an overlay to notify users when full-screen is activated.

Feross demonstrated how the Fullscreen API can aid phishing attack portals appear rather innocuous to the end users, by utilizing the API to hide the interface elements of the users’ browser, thereby preventing the user from knowing the URL of the actual website visited.

Unfortunately, Apple’s Safari browser, version 6.01 and later, provides little or no sign that full-screen mode has been activated. Google Chrome, version 22 and later, offers some notice, though as Aboukhadijeh observes, the notification is “pretty subtle and easily missed.” Mozilla Firefox, version 10 and later, alerts the user with a conspicuous notification.

Aboukhadijeh’s attack depends on social engineering rather than flawed code. There are a variety of ways to deceive people online and the only way to mitigate that risk is constant vigilance. The demo’s source code is also available on GitHub.

About these ads

Comments Are Welcome

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s