New Browser Exploit Technique Undermines Phishing Detection
A new browser-based phishing technique has made it harder for users to spot malicious websites, according to recent cybersecurity research.
The method, known as a Fullscreen Browser-in-the-Middle (BitM) attack and discovered by SquareX, exploits standard browser functionality to convincingly mask fake login pages as legitimate ones, without relying on bugs or vulnerabilities.
This approach builds on traditional BitM tactics, where attackers use remote browser sessions to show real login interfaces in a pop-up window, tricking users into submitting their credentials. The key limitation of earlier versions was the visible presence of a suspicious URL in the browser address bar.
However, the latest variant uses the browser’s Fullscreen API to hide that URL entirely by rendering the attacker-controlled content in fullscreen mode, making detection significantly more difficult.
Safari Browsers Particularly Exposed
The effectiveness of the technique varies by browser.
While Chrome and Firefox display brief notifications when fullscreen mode is activated, these warnings are often subtle and can be easily overlooked, especially when attackers mimic the look and feel of legitimate interfaces.
Safari presents a greater concern: it does not show any messaging when entering fullscreen mode, providing attackers with a clear advantage. A slight swipe animation is the only visual cue, and it’s not one that users typically associate with a potential security risk.
Key differences across browsers include:
-
Chrome and Firefox show temporary fullscreen warnings with limited detail
-
Firefox includes domain information, though the notice vanishes after a few seconds
-
Safari shows no warning message, only a subtle swipe animation
In one example, attackers used malvertising to lure victims to a fake Figma login page. The site appeared authentic, and clicking the login button triggered fullscreen mode.
The victim then unknowingly submitted their credentials through a remote browser controlled by the attacker, granting access not only to the compromised account but also to any other apps the user accessed during that session.
Addressing the Risk
Unlike traditional phishing attacks that depend on typosquatting or blatant URL spoofing, this method relies on legitimate browser behavior. This makes it particularly difficult for security tools that monitor network traffic or endpoint activity to detect. As a result, mitigation efforts must shift toward user awareness and browser-level protections.
Staying vigilant when login prompts appear in fullscreen mode, especially if the transition feels unexpected, is crucial. Users are advised to navigate to services directly rather than through ads, emails or social media posts.
Choosing browsers that offer clearer visual indicators for fullscreen activity can provide an additional layer of defense.
Security awareness training also plays a key role, helping users recognize subtle signs of manipulation and understand how browser APIs can be abused in sophisticated phishing campaigns.
Image credit: Farknot Architect / Shutterstock.com
