A newly discovered vulnerability in Apple’s Safari browser could allow cybercriminals to steal user credentials using a deceptive technique known as a “browser-in-the-middle” (BitM) attack.
Security researchers at SquareX found that Safari fails to notify users when a site enters full-screen mode. Unlike Chrome or Firefox, which display clear alerts, Safari simply shows a subtle swipe animation—something most users can easily miss. This lack of a strong visual cue makes the attack more effective on Safari than on other browsers.
In a typical BitM attack, victims are lured through sponsored ads or malicious links to a fake website that looks identical to a legitimate service, such as a banking portal or gaming site. Once the user clicks on a login button, a hidden browser window controlled by the attacker enters fullscreen mode and displays what looks like the real login page. Users unknowingly enter their credentials into the attacker’s interface. Though the login may appear to succeed, the credentials have already been stolen in the background.
Tools like noVNC allow attackers to remotely load and control this fake browser window, making it difficult to detect. Since the attack uses standard browser features, most security solutions like endpoint detection and response (EDR) or secure web gateways do not raise any alerts.
SquareX reports that although the technique works across multiple browsers, Safari users are at greater risk due to the absence of a clear fullscreen warning. The researchers notified Apple about the issue, but the company responded that it does not plan to implement any changes. Apple stated that the existing swipe animation is sufficient to inform users of fullscreen changes.
Until a fix is introduced, users are advised to stay cautious, avoid clicking on suspicious ads or links, and always double-check website URLs before entering sensitive information.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
