Advance Phishing Attacks Via HTML5 Fullscreen API



We realise that its human nature to take advantage of inventions and innovations without having the slightest hint of the name of the developer/inventor him/herself. Ah, how cruel is our mind for playing tricks on us in the most desperate of times.

Talking about hidden and unknown developers, we must mention one man in particular - Feross Aboukhadijeh, who happens to be the developer of the YouTube Instant Search Engine. Aboukhadijeh is an independent security researcher, web designer and Standford Computer Science student who has recently become the talk-of-the-town for his achievement in developing a phishing attack concept. The concept exploits HTML5's vulnerability that exists in the fullscreen application programming interface.



The Fullscreen Application Programming Interface or API is a widely used feature within communities that benefit from Facebook and YouTube and the Web Developers find it to be a pretty handy tool. The feature enables the user to view enlarged photos or watch fullscreen videos on their Personal Computers (yeah, we have gone old-school). But exploiting the feature is different in a you-must-pay kind of a way as it allows the 'Phisher' to trigger the feature programmatically thus, victimising absolutely anyone at all.

According to Feross;

"You can trigger fullscreen mode with this code:

elementToMakeFullscreen.requestFullScreen();
The main restriction that the API places on developers is that fullscreen must be triggered in reaction to a click or keypress. Presumably, this is so that sketchy sites can’t immediately put you into fullscreen when you land on their site.
// Assuming jQuery is available// Fullscreen the HTML document on click$('#fullscreen-button').on('click', function() { var doc = document.documentElement; if (doc.requestFullscreen) { doc.requestFullscreen(); }});
Note that in practice, you need to use the prefixed versions (mozRequestFullScreen() andwebkitRequestFullScreen()) since the spec is still not final yet."

Feross goes on to explain the height of this potential threat on his blog. He begins his fairytale by asking the visitor to click on a simple, unthreatening link of Bank of America. As soon as it is clicked on, your browser enters a fullscreen mode where you will be able to see a fake version of the Bank of America's website. The website itself is equipped with OS and browser UI which gives you the impression that you are safe under the website's protective wing. Of course, all of it is fake but not many people would be able to tell the difference between the real and the fake. That's because the attackers take into account the UI of the browser that you are on.

In order to fool the victim, you will need to be proficient and create a link to a site that is devoid of all flaws that the human mind can contemplate. If someone with a higher IQ sees your website, they will figure out that its as fake as the Rolex sold on the streets of Karachi!

According to the man himself; 

"
Visit  href="https://www.bankofamerica.com">Bank of America for mediocre banking services.
The user can hover their mouse over the link and their status bar will showhttps://www.bankofamerica.com, as expected.
However, when the user clicks the link, call event.preventDefault() to prevent the browser from actually navigating to the link. Instead, trigger fullscreen mode and insert fake OS and browser UI into the page, along with a fake version of the site to be phished.
$('html').on('click keypress', 'a', function(event) {

// Prevent navigation to legit link
event.preventDefault();
event.stopPropagation();

// Trigger fullscreen
if (elementPrototype.requestFullscreen) {
document.documentElement.requestFullscreen();
} else if (elementPrototype.webkitRequestFullScreen) {
document.documentElement.webkitRequestFullScreen(Element.ALLOW_KEYBOARD_INPUT);
} else if (elementPrototype.mozRequestFullScreen) {
document.documentElement.mozRequestFullScreen();
} else {
// fail silently
}

// Show fake OS and browser UI
$('#menu, #browser').show();

// Show fake target site
$('#target-site').show();
});
It’s important that the fake OS and browser UI match the user’s system. So, if Chrome user on OS X clicks the link, we show a fake OS X menu bar and fake Chrome UI with a green padlock for HTTPS on Bank of America."
Various browsers show different or no signs of attack whatsoever. Apple's Safari browser (V 6.01 and later) shows some or no signs of the activations of the full-screen mode. Google Chrome (V 22 and later) shows a few signs and symptoms of the attack but as put by Feross, the notification is 'subtle and easily missed' by the untrained eye. Mozilla Firefox (V 10 and later) alerts the user with a discernible notification. This tells us that the OS and browser UI will not always be perfect for all users. Some will even be able to tell that its 'counterfeit'. Not everyone can recognise subtle changes though which will result in, as Feross says, 10% of the internet population getting phished.
According to Mozilla's John Dyer,
Browser vendors are well aware of the potential security issues with fullscreen. For example, a malicious site could show a full screen Windows or Mac login window and steal a password. That’s why they are disabling keyboard support by default and only enabling by explicitly asking.
Which explains that at some point while developing and releasing the Fullscreen API, Mozilla was aware of the baggage that it carried. The attacking concept, however, seems to be more about social engineering than flawed code.

Stay safe people. We need our loyal fanbase alive, well and phish-free!

Cheers!

About The Author

This article is written by Sindhia Javed Junejo. She is one of the core members of RHA team.