Fullscreen API: Aid To Phishing Attack?

The HTML5 "Fullscreen API" allow web developers to display web contents in full-screen mode, that is, filling-up the display screen completely. Albeit, some browsers have this capability inbuilt, the Fullscreen API differs from those in that it allow developers to access the functionality through underlined programming.

Fullscreen API is perhaps known for its spoofing potential, leading to major browser vendors canvassing for the implementation of an overlay to notify users when full-screen is activated.

SCAM websites have found ways to spoof web surfers by recreating the user agents when Fullscreen is initiated. Feross Aboukhadijeh, a San Francisco based web developer, had demonstrated the common technique in his official website.

Feross demonstrated how the Fullscreen API can aid phishing attack portals appear rather innocuous to the end users, by utilizing the API to hide the interface elements of the users' browser, thereby preventing the user from knowing the URL of the actual website visited.

The API's specified "Security and Privacy Considerations" have advisory on how browser vendors can effectively curtail the spoofing mechanism. Google Chrome, from v22 upwards have provided some level of notification as to the full-screen mode of websites visited. While, Mozilla Firefox version 10 and later, is more explicit in its notification and flagging alert.

Whereas, Apple Safari is seriously lagging behind, Internet Explorer is yet to support HTML5 Fullscreen API.
Previous
Next Post »