Jump to content
1337

Advance Phishing Attacks using HTML5 Fullscreen API

Recommended Posts

Posted

HTML5_Fullscreen_API_for_Phishing_Attacks.png

Do your ever use YouTube Instant Search engine (a really fast way to search YouTube) ? That was developed by a 21 years old developer name - Feross Aboukhadijeh in 2012. Chad Hurley, CEO and co-founder of YouTube, was so impressed that he immediately offered him a job at YouTube. He a web developer, designer, computer security researcher.

Recently he has developed an attack concept that exploits the fullscreen application programming interface in HTML5 in order to carry out advance phishing attacks. The HTML5 "Fullscreen API" allow web developers to display web contents in full-screen mode, that is, filling-up the display screen completely.

Fullscreen API is perhaps known for its spoofing potential, leading to major browser vendors canvassing for the implementation of an overlay to notify users when full-screen is activated.

Feross demonstrated how the Fullscreen API can aid phishing attack portals appear rather innocuous to the end users, by utilizing the API to hide the interface elements of the users' browser, thereby preventing the user from knowing the URL of the actual website visited.

Unfortunately, Apple's Safari browser, version 6.01 and later, provides little or no sign that full-screen mode has been activated. Google Chrome, version 22 and later, offers some notice, though as Aboukhadijeh observes, the notification is "pretty subtle and easily missed." Mozilla Firefox, version 10 and later, alerts the user with a conspicuous notification.

Aboukhadijeh's attack depends on social engineering rather than flawed code. There are a variety of ways to deceive people online and the only way to mitigate that risk is constant vigilance. The demo’s source code is also available on GitHub.

/Aveti aici POC-ul http://feross.org/html5-fullscreen-api-attack/ , e superb :)

Source-code https://github.com/feross/fullscreen-api-attack

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...