HTML5 Fullscreen API Phishing Attacks

HTML5 Fullscreen API Phishing Attacks

HTML5 Fullscreen API phishing attack is a type of phishing method that uses the HTML5 fullscreen application. Learn more about the HTML5 Fullscreen API phishing attacks here. 

Feross Aboukhadijeh, the developer behind YouTube Instant Search engine, recently developed  a phishing attack concept that involves HTML5 Fullscreen API. The exploit works through the fullscreen application programming interface in HTML5 which can be used to conduct phishing attacks.

The HTML5 Fullscreen API allows web developers to display web contents in a full screen mode which fills up the display screen. The API itself is being suspected to carry out phishing attempts as it can be used to spook major browser vendors.

Feross showed in his article, “Using HTML5 Fullscreen API for Phishing Attacks”, that the Fullscreen API of HTML5 can be used to do advance phishing attack portals that can appear as valid or legit portals for the original websites. By using the API to hide interface elements on the users’ browser, the user won’t suspect that the URL that they had visited is a fake one.

Personally, I have played with the HTML5 Fullscreen API phishing code to study further, and tried to recreate the HTML5 Fullscreen API for Paypal instead of the Bank of America. I’ve used Google Chrome web browser for testing. Below are the results.

Disclaimer: Information is only for educational purposes and making internet users aware that such attacks may exist.

Image below shows that the URL link was perfectly spoofed and users won’t notice that the link URL is faked.

html5 phishing

Below is the screenshot of the working HTML5 Fullscreen API attack, I used Paypal as an example. Google Chrome notified the user that is now in fullscreen which can help him or her know that there is something going on there. From there, a malicious attacker has a chance to get login information or credentials of a targeted user.

html5 fullscreen api phishing attack

It’s good to know that there are browsers that notify their user’s for changes that’s been happening on their browser. This little information is a big thing as it helps users know what is happening. While there are reports that certain browsers provides little or even no signs that full screen mode was already activated, these browsers must be updated to help their user’s security.

While the attack may depend on either social engineering, it is still better to inform internet users that such form of attack may exist.

Aboukhadijeh ‘s HTML5 Fullscreen API Phishing Attack code is also available on GitHub for further studies.