The Hacker News Logo
Subscribe to Newsletter

Advance Phishing Attacks using HTML5 Fullscreen API

Do your ever use YouTube Instant Search engine (a really fast way to search YouTube) ? That was developed by a 21 years old developer name - Feross Aboukhadijeh in 2012. Chad Hurley, CEO and co-founder of YouTube, was so impressed that he immediately offered him a job at YouTube. He a web developer, designer, computer security researcher.

Recently he has developed an attack concept that exploits the fullscreen application programming interface in HTML5 in order to carry out advance phishing attacks. The HTML5 "Fullscreen API" allow web developers to display web contents in full-screen mode, that is, filling-up the display screen completely.

Fullscreen API is perhaps known for its spoofing potential, leading to major browser vendors canvassing for the implementation of an overlay to notify users when full-screen is activated.

Feross demonstrated how the Fullscreen API can aid phishing attack portals appear rather innocuous to the end users, by utilizing the API to hide the interface elements of the users' browser, thereby preventing the user from knowing the URL of the actual website visited.

Unfortunately, Apple's Safari browser, version 6.01 and later, provides little or no sign that full-screen mode has been activated. Google Chrome, version 22 and later, offers some notice, though as Aboukhadijeh observes, the notification is "pretty subtle and easily missed." Mozilla Firefox, version 10 and later, alerts the user with a conspicuous notification.

Aboukhadijeh's attack depends on social engineering rather than flawed code. There are a variety of ways to deceive people online and the only way to mitigate that risk is constant vigilance. The demo’s source code is also available on GitHub.

Subscribe to our Daily Newsletter via email - Be First to know about Security and Hackers. or Join our Huge Hackers Community on FacebookGoogle+ and Twitter.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.