According to MITRE, Browser-in-the-Middle (BitM) is an attack where “an adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim’s browser to the adversary’s system.” This attack has been used by many attackers to trick victims into unknowingly entering credentials and providing sensitive information on an attacker controlled window. The attack was first disclosed in a paper by researchers from the University of Salento in 2021, and we have seen many cases of BitM being used in the wild since then.
However, one key flaw of the BitM attack is that it still requires the victim to land on a malicious site and perform an action to open up the noVNC pop-up window. As the parent window still has a malicious URL in its address bar, this will likely raise suspicion among more security aware users at the point of credential entry.
SquareX’s research team has observed multiple instances of the browser’s FullScreen API being exploited to address this flaw by displaying a fullscreen BitM window that covers the parent window’s address bar, as well as a limitation specific to Safari browsers that makes fullscreen BitM attacks especially convincing. The article below will recap how BitM attacks work, explore the Fullscreen API requirements and why Safari browsers are particularly vulnerable to fullscreen BitM attacks.
Traditional Browser-in-the-Middle (BitM) Attacks
To illustrate how a typical BitM attack works, we will use a real attack that targeted Counter-Strike 2 gamers. Incentivized by cryptocurrency and skin giveaways, victims were tricked into entering their Steam credentials. These compromised accounts were then sold on the black market for up to $300,000. Here is how it works:
Note: The case study below actually used the Browser-in-the-Browser (BitB) technique, where instead of using remote desktop, the attackers uses HTML, CSS and JavaScript most commonly to mimic login pop-ups of popular SaaS or Single Sign-On (SSO) services. We chose this example as it is a well documented attack and because the social engineering and principles behind this attack can also be used in BitM attacks.
Apple's implementation of installing marketplace apps from Safari is heavily flawed and can allow a malicious marketplace to track users across websites
A week into phase one of Google’s cookie killing project in Chrome, early tests show how it could hit the web’s bottom line.
We present iLeakage, a transient execution side channel targeting the Safari web browser present on Macs, iPads and iPhones. iLeakage shows that the Spectre attack is still relevant and exploitable, even after nearly 6 years of effort to mitigate it since its discovery. We show how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution. In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are autofilled by credential managers.
Whenever there’s a new in-the-wild 0-day disclosed, I’m very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations. This blog is the story of a “zombie” Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022. If you’re interested in the full root cause analysis for CVE-2022-22620, we’ve published it here.
The identified vulnerability allows bypassing of Gatekeeper security and app notorization, has been patched by Apple.
Apple awarded a $100,500 bug bounty to the researcher who discovered the latest major vulnerability in its browser.
$100,500 Apple Bug Bounty for hacking the webcam via a Safari Universal Cross-Site Scripting (UXSS) bug. CVE-2021-30861, CVE-2021-30975
Apple a publié iOS 15.3.1 pour corriger la vulnérabilité CVE-2022-22620 de WebKit, qui serait activement exploitée par les cybercriminels.
"Sorti hier, macOS 12.2.1 règle un problème de sécurité dans WebKit, le moteur de Safari, qui aurait pu permettre à une personne malintentionnée d'exécuter du code arbitraire en faisant simplement visiter à l'utilisateur une page web malveillante (CVE-2022-22620). Si votre Mac n'est pas compatible avec macOS Monterey, une mise à jour individuelle de Safari est disponible."
"Apple on Thursday released security updates for iOS, iPadOS, macOS, and Safari to address a new WebKit flaw that it said may have been actively exploited in the wild, making it the company's third zero-day patch since the start of the year."
