Independent security researcher, web designer, and Stanford Computer Science student Feross Aboukhadijeh has developed an attack concept that exploits the fullscreen application programming interface in HTML5 in order to carry out phishing attacks.
The attack leverages the ‘fullscreen API’ feature that lets Web developers display content that fills up a user’s entire screen. Aboukhadijeh explains that the feature is widely familiar to users (although they may not realize it) because it is used to enlarge photos on Facebook and watch fullscreen videos on Youtube. He notes that this is different from ‘user-triggerable’ fullscreen functionalities because it can be triggered programmatically by a developer or attacker.
In his demo, Aboukhadijeh uses what appears to be a legitimate link to the Bank of America website. If the user hovers over the link, the link destination in the bottom left of the screen indicates the clicking the link will actually lead users to the legitimate Bank of America website. However, clicking the link does not lead there. In this case, clicking the link automatically enters the user into fullscreen mode, where Aboukhadijeh loads a fake BoA website. Aboukhadijeh’s demo uses a screenshot of the BoA website, but it is possible to use a working site.
Aboukhadijeh’s fake BoA site also determines which browser and operating system the user is running so that the fake site will look real when it is navigated to. All he does is set a link to the real BoA website, but make it so that when the user clicks the link, a call is made to prevent the browser from actually navigating to the site. Instead, Aboukhadijeh triggers full screen mode and inserts the fake operating system and user interface along with a fake website of the phisher’s choosing (in this case BoA).
Savvy and attentive users, particularly ones that customize their browsers, will probably notice what is going on. The demo can’t match bookmarks, browser customizations, menu bars, or plugins, but Aboukhadijeh believes that many users will either think nothing of the small changes or be affected by a phenomenon called ‘change blindness.’
Change blindness or not, lesser social engineering scams have been successful in the past. For many users, even if they noticed that their browser was entering full screen mode (Firefox and Chrome indicate when the browser is doing so), they would have no reason to suspect foul play.