A browser-in-the-middle exploit targeting Apple’s Safari leaves users more vulnerable to phishing attacks than those on Chrome or Firefox.
What happened
Security researchers at SquareX have identified a flaw in Apple’s Safari browser that allows cybercriminals to perform convincing full-screen browser-in-the-middle (BitM) attacks. These attacks rely on the browser’s Fullscreen API, which enables web pages to take over the full screen, hiding typical safety indicators like the URL bar. Safari fails to provide clear visual warnings when full-screen mode is activated, unlike Firefox and Chromium-based browsers, making it easier for attackers to trick users into entering sensitive information into an attacker-controlled interface.
Going deeper
In a BitM attack, users are lured into visiting a fake website that mimics a trusted service, such as Steam or Figma, often through malicious ads or social media links. When they click to log in, the attacker activates a full-screen remote browser session using tools like noVNC. This session visually resembles the legitimate login page, but all interactions occur on the attacker’s server. Victims often gain access to their actual accounts afterward, remaining unaware that their credentials were stolen during the process.
SquareX noted that Safari's only visual cue when entering full screen is a brief “swipe” animation, which can easily be overlooked. This lack of a persistent alert significantly lowers the user’s chances of detecting that something is wrong.
What was said
SquareX researchers described Safari’s behavior as a shortcoming and shared their findings with Apple. Apple responded with a “wontfix” designation, stating that the fullscreen animation was a sufficient indicator for users. Security tools like endpoint detection and response (EDR) or secure access service edge (SASE) systems also fail to flag these attacks, as the exploit uses standard browser features rather than malicious code.
The big picture
The vulnerability draws attention to the role of browser security cues in defending against interface-based attacks. As threat actors increasingly rely on social engineering and visual deception, clear indicators of full-screen mode become more important. Unlike other browsers that display prominent warnings, Safari uses a less noticeable cue, reducing its effectiveness in alerting users. In the absence of updates from Apple, users may need to adopt more cautious browsing practices or consider alternative browsers for handling sensitive information.
FAQs
What is a browser-in-the-middle (BitM) attack, and how does it differ from typical phishing?
BitM attacks use a remote browser controlled by the attacker to replicate the real login experience, often giving users access afterward, making it more difficult for victims to notice their credentials were stolen.
Why does Safari make these attacks more effective?
Safari lacks a persistent visual warning when entering full-screen mode, which makes it easier for attackers to hide signs of a malicious session from users.
Can antivirus or endpoint detection software block these attacks?
No. Since BitM attacks use standard browser APIs and don’t install malicious software, most security tools don’t detect or flag them.
What steps can users take to avoid falling for a BitM attack?
Users should avoid clicking on sponsored ads for login pages, always manually enter known URLs, and double-check the address bar before logging in, even if the page looks familiar.
Has Apple indicated it will fix this issue in Safari?
No. Apple has responded that its existing full-screen animation is adequate and currently has no plans to introduce stronger visual warnings.
Farah Amod
