
Using the HTML5 Fullscreen API for Phishing Attacks - feross
http://feross.org/html5-fullscreen-api-attack/
======
nikcub
When the standard was being ratified, this came up on the mailing list (I
can't find the link right now, I am on my cell).

The solution was that to recommend vendors print warning labels across the top
or add a layer of permissions around the feature - which Chrome and Safari
have done.

for eg. when I open it I get a message saying 'Chrome is currently in
fullscreen mode'. They will likely both also add permission boxes similar to
when the browser requests your location.

It is good for developers to understand this, though, but I wouldn't say that
the spec is broken, or that this is a bad feature, it can be implemented
securely and with warnings. Anti-phishing education for users should involve
primarily talking about not trusting links anywhere and typing in the address
directly.

Edit: Here it is from the Spec:

[http://dvcs.w3.org/hg/fullscreen/raw-
file/tip/Overview.html#...](http://dvcs.w3.org/hg/fullscreen/raw-
file/tip/Overview.html#security-and-privacy-considerations)

> 7\. Security and Privacy Considerations

> User agents should ensure, e.g. by means of an overlay, that the end user is
> aware something is displayed fullscreen. User agents should provide a means
> of exiting fullscreen that always works and advertise this to the user. This
> is to prevent a site from spoofing the end user by recreating the user agent
> or even operating system environment when fullscreen. See also the
> definition of requestFullscreen().

> To prevent embedded content from going fullscreen only embedded content
> specifically allowed via the allowfullscreen attribute of the HTML iframe
> element will be able to go fullscreen. This prevents untrusted content from
> going fullscreen.

I am most familiar with Safari and Chrome (have been meaning to get up-to-date
with Firefox, which has had a lot of good work put into it) but all of the
major browser vendors have done something around this in their own way with
both desktop and mobile releases.

It is at the discretion of each vendor how they implement security warnings or
settings around full screen mode. They all have slightly different
implementations but the end result is that they go some way towards preventing
a phishing attack using Fullscreen.

That said, it was a good idea to bring this issue to the attention of
developers and users as a potential attack vector and as a demonstration of
why the security dialogs are important.

Edit II: The whatwg thread where the security considerations are discussed
begins here:

[http://lists.whatwg.org/pipermail/whatwg-
whatwg.org/2009-Dec...](http://lists.whatwg.org/pipermail/whatwg-
whatwg.org/2009-December/024582.html)

The first post rightly points out that Flash had the feature implemented in a
non-secure manner for a long time.

~~~
cfinke
_which Chrome and Safari have done_

Firefox does it too, and in a much more obvious way than either Chrome or
Safari. Here are all the latest browsers on Mac compared:
<http://imgur.com/a/jdcI7> (Sorry Opera; I haven't re-installed you yet.)

I actually didn't get any permissions dialog or warning label in Safari 6;
maybe I ok'd it for another site at some point in the past, but I definitely
didn't whitelist this domain.

~~~
feross
Safari has no warning or message at all. Just a quick, half-second animation
and that's it.

~~~
peterhunt
Safari disallows keyboard input in fullscreen mode.

~~~
masklinn
Entirely? So no way to use fullscreen mode for keyboard-driven games in saf'?

~~~
peterhunt
That's correct, this is why the Facebook full-screen photo viewer is not
enabled in Safari even though the API is supported.

~~~
masklinn
That stinks.

------
jeswin
The concept is clever, and very interesting.

However, most users (even experienced users) don't look at the url when
visiting information-sensitive websites and www.bankofamerica.fsh4.com would
still not alarm them. They don't understand the SSL icon either.

~~~
ygra
There was an interesting research a few years ago regarding the SSL icon.
Since in many users the idea is actually finely-ingrained that a padlock means
security on a website they just made the favicon into a lock. A surprisingly
large number of users was fooled by that.

I guess the "padlock means secure" has been superceded a little by "address
bar is green somewhere" by now, but the problem remains the same.

~~~
shardling
That's why Firefox no longer has the favicon in the URL bar.

------
damncabbage

      The user can hover their mouse over the link and their 
      status bar will show https://www.bankofamerica.com, as 
      expected.
    

Google search results use a similar technique to show you the "right" link
when you hover.

(It's only when you click the link does it muck around with the DOM to insert
the google.com/... redirect link.)

~~~
guelo
This is pissing me off. The link hover should be sacred, browsers shouldn't
allow any trickery there.

~~~
finnw
I won't be surprised if both Google and MS restrict this in their browsers in
the near future, but make exceptions for their own search engines.

~~~
oliciv
I won't be holding my breath for major browsers to remove support for JS click
events!

~~~
finnw
Probably not, but if a regular link has an onClick event, they might show a
big red warning message in the status bar in place of the URL.

------
andrewfelix
The demo you've put together is very nice. It even accounts for the different
UI styling of individual browsers. However in all cases that the link worked,
I received a very large warning that has to be manually dismissed.

This is not a rhetorical question; do you think people would ignore the
warning and continue to use the site?

An easier phishing technique would be to manipulate the address to appear
legitimate using pushState.

~~~
SoftwareMaven
_do you think people would ignore the warning and continue to use the site?_

Absolutely. My eyes were opened to that when I was troubleshooting my father's
webcam over the phone. It kept not working when everything looked like it
should. He just failed to let me know about the alert that kept popping up
that said "camera is locked by <foo>". Instead, without reading, he just hit
the "X", even though I was asking for _every_ step he was performing. Closing
a rogue alert isn't even a "step" to most people.

If you are relying on dialogs to keep your users safe, you are doing it wrong.
Unfortunately, I don't know what the right answer here is.

~~~
jiggy2011
I worked in tech support for a few years, this stuff is very common when doing
things over the phone. "A box popped up saying X" , "OK click on Y" , "Oh , I
just clicked on Z", "why did you click on Z?" , "I always click on Z".

------
AngryParsley
That's clever. It was pretty obvious to me, since I run Chrome in presentation
mode (no UI elements visible) and Chrome popped up a dialog box telling me
about the switch to full-screen mode. Still, I can see how a lot of people
could be tricked by this. I can't think of a better solution than extant
phishing site blacklists.

Full-screen mode can be useful, but it and other HTML5 features can be used
for phishing or to generally annoy users. I'm wondering how soon it will be
before someone makes the HTML5-equivalent of ClickToFlash.

~~~
wtallis
NoScript already inherently blocks this, and even if you allow the domain that
provides the script that tries to go full-screen, and allow the full-screen
transition, the web page pretending to be a desktop doesn't cover the NoScript
toolbar that's still prompting for permissions on the other domains. I suspect
the anti-clickjacking measures would kick in if the phishing site tried to
incorporate the real site as a base layer.

NoScript does not seem to have any features targeted directly at HTML5
fullscreen, though.

~~~
tymekpavel
I don't think the average user knows what NoScript is.

~~~
nikcub
This is why I want to fork Chrome and create a secure and privacy-aware
browser.

* Take out everything Google-related, including safebrowsing

* Rip out Flash and Java

* Integrate NoScript

* Integrate an alternate html5/canvas based video player

* Integrate third-party request blocking

* No cookies by default

* Strip out all the tracking id's in URLs (eg. Google search results pages, back to just plain old ?s=search+query)

* Automatically clear cookies such as the __ut* cookies from analytics

* Incognito by default

* Introduce a concept of 'installing' trusted sites that would be allowed to run scripts, etc. not too dissimilar to how desktop computing works

I have had this idea for over a year now, but haven't gone far in implementing
it other than doing a test build of chromium with incognito by default and
some default extensions.

It came about because my dad and other family members have each had spyware or
rootkits installed on their machines. 99.99% of drive-by exploits can be
stopped by simply not running IE and switching off Flash and Java.

It would be a browser where you don't have to explain everything, just
marketed/renown as being a browser focused on privacy and security features
for everyday users.

When I get a chance, I am contemplating putting a team together and forking
this as an open source project. If such a project is of interest to anybody
else, get in touch (via email in profile).

~~~
adrinavarro
Cookies and JS off by default?

Maybe we don't live in the same world.

~~~
nikcub
third-party cookies

the idea is that you have a button next to the URL to install it, from where
it just runs as normal (albeit still without third-party cookies, as with fb
buttons)

it could also do something smart with the type of javascript being executed.
for eg. the concern with javascript is dyn generating forms or iframes and
auto-submitting. etc. something that you can't do with extensions but you can
do with a separate browser.

~~~
icebraining
Firefox extensions can certainly do that. For example NoScript has IFrame
blocking built-in, it's just disabled by default. More importantly, its
ClearClick feature prevents clickjacking even with IFrames enabled.

You're right that _Chrome_ extensions can't do that, though.

------
jrabone
For login screens, this is the problem that the Secure Attention Key
(<http://en.wikipedia.org/wiki/Secure_attention_key>) was intended to solve.

IMO this is why the constant pushing of the browser as a platform is more
trouble than it's worth. Everything that your OS does now will be re-invented
(badly, several times) in one or more of the different web-browsers, lost,
found, queried in triplicate, standardised before finally being recycled as
firelighter when the next "paradigm shift" takes over.

------
jmitcheson
You're being a bit disingenuous by not mentioning the inbuilt protections that
the HTML5 Fullscreen API offers.

"Also, any alphanumeric keyboard input while in full-screen mode causes a
warning message to appear; this is done to help guard against phishing
attacks. The following keys are the only ones that don't cause this warning
message to appear (...)"

([https://developer.mozilla.org/en-US/docs/DOM/Using_full-
scre...](https://developer.mozilla.org/en-US/docs/DOM/Using_full-screen_mode))

The article and demo are nice though. Good work.

~~~
feross
That documentation is out-of-date. There were no warnings on keyboard input in
Firefox or Chrome. I went fullscreen on a Facebook photo and was able to leave
a comment without any issues.

Safari, on the other hand, appears to prevent keyboard input, which I just
recently found out.

------
bpatrianakos
Its really annoying and alarming to hear technical people rebut this with
"Well I could tell the difference because I noticed my browser changed and my
super customized desktop settings weren't reproduced, and plus it says "now in
full screen mode", etc.". Its alarming because this type of response just goes
to show that the people creating things for the web are so completely out of
touch with real users. There's this weird idea among developers that users
know how to use technology just like we do when in fact they don't even know
which website handles their email half the time, think Google is the internet,
use the browser search bar to type full URLs even though the actual address
bar is 10 pixels to the left, and will blame you for giving them a virus
because you changed their desktop wallpaper and not because of all those shady
links to foreign lotteries they were clicking in their email which they were
lucky to find in the first place.

Yeah, you can tell the difference. I could tell the difference. Yes it was
very obvious even though the demo was very accurate in reproducing my
browser's chrome. But the rest of the world is nothing like us. Feross says
10% will be tricked. I think that's a very conservative estimate. I wouldn't
be surprised is the numbers went above 50%. If this sort of attack becomes
common then I bet you anything that the majority of users will be tricked just
because full screen is not very common. You'll say full screen is common but
again, you're thinking of people just like you who are in the minority. Most
people have never seen a website in full screen mode. Even with Facebook's
full screen option it doesn't mean your parents are clicking that option or
have even noticed it yet.

I'm actually building an app currently that greatly benefits from the full
screen API and I really hope vendors don't start putting more restrictions on
it. Instead I'm hoping there's a way to make full screen more common in
legitimate ways, get users used to full screen mode so they are aware of it
and know what the little "Now in full screen mode" dialog means. Sure, people
will still get tricked but I'd bet it would be in far less numbers and that
10% figure Feross throws out there might become more realistic.

------
borlak
A similar issue was shown when Adobe Flash fullscreen was first introduced (I
think it was just Macromedia at the time, but anyway).

When you went to fullscreen in flash, it printed a giant "you are now in
fullscreen mode" in the middle of the screen, but somebody showed that simply
by printing similar text all over your screen, it hid that warning very well.

~~~
hatu
Yeah but nowadays you can't use the keyboard while fullscreen in Flash do
prevent this type of phishing.

------
blaines
I think the "Door Study" [1] was the best part! It's hilarious, and horrible
that the guy didn't notice the swap. Maybe I've just lived in a big city long
enough that I'm not surprised by the World Famous Bushman [2] or people's
swindling.

[1]
[http://www.youtube.com/watch?v=FWSxSQsspiQ&feature=playe...](http://www.youtube.com/watch?v=FWSxSQsspiQ&feature=player_embedded)

[2] <http://en.wikipedia.org/wiki/World_Famous_Bushman>

~~~
geon
I was thinking the door-guy-swap footage where the victim noticed the swap
must be perfect material for "Just for Laughs" [1]. Inversely, the "failed"
Just for Laughs-material where the victims don't react must be perfect
research material.

[1] <http://www.youtube.com/watch?v=662KGcqjT5Q>

------
yati
Great job! But originally, I opened that link in a new tab while I was still
reading the article. It obviously did not work :P I've this habit of opening
most links in a new tab!

~~~
Zancarius
Same here. I have an addiction to opening everything remotely interesting in a
new tab, and my initial reaction was "I don't think this worked?"

Otherwise, it's pretty frightening, because I can imagine that in spite of the
browser warnings, there are many non-savvy users who probably wouldn't give it
a second thought.

As a KDE user, the blatant Gnome UI was kind of glaring but otherwise well
done. ;)

~~~
esolyt
Not even Gnome. It is Ubuntu interface. I guess they were assuming most Linux
users are Ubuntu users.

~~~
feross
Yep, that's what I assumed. :) Also, for a proof-of-concept you're lucky I
even took screenshots in any Linux ;)

------
jpxxx
Brilliant, terrifying, wonderfully crafted and well-communicated work. Where
do we go from here?

~~~
chaud
Firefox has a big warning that asks permission and dims the background, making
it difficult to use until you select allow or deny, so it won't work as well
with Firefox.

Chrome 23 just makes it full screen with a small notice.

~~~
jpxxx
This is true, I saw it too. But a popup telling the user to 'Allow
Fullscreen?' is semantically equivalent to "Click Yes If You Want To Log On To
Your Bank" for most users.

The least savvy are UI-blind, a big portion won't realize a transition just
occurred, and a great majority of them will not read the warning beyond the
first line.

~~~
chaud
If that is the case, how is it a significantly worse problem than a regular
link to a fake site?

~~~
feross
Good question. The key difference is that using the Fullscreen API let's you
fake the "green location bar" which, thanks to hundreds of PSAs from the tech
community over the years, has become synonymous with "this site is safe and
secure".

~~~
ygra
The problem is that for many years the browser's chrome/UI was in fact a place
not hijackable by web sites. In contrast to things that appear within the
normal client area as the often-spoofed yellowish notification bar of old
Internet Explorer versions (the newer one at the bottom now sees this as
well). I think Firefox opted for a very deliberate design in security-critical
cases that will always appear from within the chrome and never overlay the
page in a way that could be spoofed by clever CSS.

Of course, now with pages requesting to go fullscreen there isn't a browser UI
anymore that could show things that cannot normally appear in the page
content. Hitting F11 previously at least was something no web page could ever
do by itself. On the other hand, having to wade through warnings like Firefox'
SSL warnings probably scares away users from fullscreen games and developers
from using the feature.

I wouldn't really have an answer to anything of that. I don't even know
whether I embedded a question, I think it was just rambling :-)

------
mistercow
Both Chrome and Firefox show warnings when a page uses the fullsrceen API. Is
there a browser out there that doesn't?

~~~
feross
The latest version of Safari shows no warning on fullscreen, making users very
vulnerable. The only indication is a short, half-second animation (it's much
shorter than the usual OS X fullscreen animation). After that, there's no
indication that you're in fullscreen mode.

~~~
othermaciej
Safari also completely disallows keyboard input in fullscreen mode, which
majorly mitigates the vulnerability.

~~~
mistercow
Does it also disable using any kind of keyboard event? Because if so, that
cuts out a ton of legitimate use cases for full screen. If not, it just makes
the vulnerability slightly more of a pain to exploit.

------
jiggy2011
There will always be ways of exploiting things like this.

Perhaps the solution could be to handle this at the network level. In other
words create what is effectively a "personal information firewall" built into
the browser.

Have the browser detect when certain information is about to be send over the
network, it would need to be checked prior to being passed to SSL. Things that
fit formats like CC numbers or authorisation codes for banks. There could then
be a prompt appear on top of all active windows saying "A CC number is about
to be sent to xxx" Allow/Deny.

I suppose this would be difficult because phishers could re-encode data using
JS into some other format before it is sent. So you would need some of mapping
keyboard inputs to networking events.

~~~
eslaught
This has been solved with information flow security (see [1]), but the problem
is that performance degrades enough that no one actually uses it.

[1]: <http://cseweb.ucsd.edu/~lerner/papers/pldi09-sif.pdf>

------
w00kie
Google Chrome asks for authorization to enter fullscreen mode. I've updated my
browser this morning to Version 22.0.1229.92 m, is it new?

~~~
esolyt
Updated just now. 22.0.1229.92 on Linux does not ask for authorization but it
displays a permanent notification.

------
jkeesh
Wow Feross. Another sweet demo. I still feel like there is so much to learn
about security, but what I am always amazed at is that the "social
engineering" attacks seem to be the problems that we can never solve. Yes,
there is a technical component (HTML5 full screen api), but at its core this
is a phishing attack, a "fool the user" attack, and not an actual technical
security flaw.

Basically, if I wasn't paying attention, I feel like this was good enough to
fool me. What can be done to save the casual, but maybe unfortunately inept
internet user?

~~~
feross
Thanks Jeremy!

 _"What can be done to save the casual, but maybe unfortunately inept internet
user?"_

That's a really good question and unfortunately I don't think anyone has a
good answer.

------
EGreg
I once sent a letter to Steve Jobs saying that the MacOS (and other operating
systems) were susceptible to phishing by applications, which would simply
present a dialog that looks very much like the System Security dialog, and
thereby gain the user's root password.

The solution is to have an area where only the operating system can draw (and
which cannot be screen-captured, the same way Apple currently does with DRM
movies). In this area, the system would present to the user a phrase which the
user selected when setting up their account. This would prevent phishing, as
users would be trained to look for the phrase (and / or icon ... the reason
you can't have an icon alone is because the phisher could get it right 1 out
of N times).

Now, on the web there is a similar thing you can do! When someone places
KEYBOARD FOCUS in your password box, and starts typing the correct password,
you display the icon + phrase that you previously selected when setting up
your account. If the phrase doesn't pop up or is different, you know you're
being phished.

THIS is a great way to stop phishing on the web. Anyone impersonating you will
not know what phrase to display. Only by starting to type the correct pass
phrase will they get this information. On the other hand, they won't be able
to place anything fake over the password input box and capture your input,
because the phrase only appears when you type IN the password input box, which
the attacker can't get to, thanks to the cross-domain security in browsers!

~~~
pbhjpbhj
Yahoo do something like this, they display a per user image on the login,
presumably using cookies?

~~~
EGreg
The only thing is, if you don't wait until the user starts entering the
password, the attacker can theoretically scrape the page with your username
and find out the per-user image.

~~~
pbhjpbhj
You don't get the image based on the username, the image is stored as a
cookie, so it's showing you that the Yahoo you logged in to this time is the
one that new your cookie details before. Even if an attack-site can read your
cookie they don't know which image to pair it with (though maybe it can be
taken from a local cache somehow?). The image is a per-device (or per
browser?) security indication.

Details - <https://protect.login.yahoo.com/login/set_pref?faq=1#faq2>, it's
called "yahoo sign-in seal".

~~~
EGreg
Oh! Well that's a smart idea... that's kind of like showing you your private
"profile picture" when you are logged in.

But if you have a session cookie, then you hardly need a password. Unless we
are talking about a public computer where you need to enter your password.

I am talking about the times when you DON'T have a session cookie, and you are
prompted to sign in with a password. That's the thing that could be spoofed.

------
cdi
On linux it tries to emulate Ubuntu with default settings, while I have
Cinnamon and different theme and fonts, different user name. Didn't terrify
me.

~~~
antihero
But then, people with custom WMs and whatnot (I'm using herbstluft WM and
Zukitwo) aren't exactly the target market are they.

------
joekrill
I really wish people wouldn't play random, unexpected sound effects from their
websites. Now my entire office thinks I was playing Super Mario Bros.

------
boop
I am not sure why this is on Github? Typically, I applaud when _anything_ is
shared on Github. But why this? What positive value is it to anyone other then
script kiddies?

(Certainly, most any adequate web developer with nefarious intensions would be
able to reproduce this quite easily. But why make it point-and-click easy for
them?)

------
fmavituna
Chromeless windows issues all over again. I don't know why people don't get
their lessons from history.

In 2004 pretty much the same vulnerability exploited in IE and later on this
feature removed from IE: <http://www.kb.cert.org/vuls/id/490708>

------
drfloob
Thank you, Xmonad, for not supporting chrome fullscreen in your default
configuration.

~~~
yen223
That...is a feature?

------
cryptbe
Pretty nice demo. The fullscreen notification can be fake with either
bankofarnerica.com or <http://en.wikipedia.org/wiki/IDN_homograph_attack>.

------
anonymfus
So many people there write about warnings...

Imagine you opened new fresh HTML5-based game. It requested fullscreen, you
allowed. You finished game and clicked on "Exit fullscreen" button. Then,
instead of canceling fullscreen mode, you got just perfect illusion of it.
Site author created almost complete replacement of your browser or ever your
OS UI. So when you created new tab and entered news.ycombinator.com address it
was loaded via proxy.

May be it's already happened in this demo. Wake up, Neo, and press Esc to exit
from Matrix, ...sorry, from Fullscreen Mode.

------
statictype
Completely unrelated, I'm going to configure my build process to play that
awesome mario death music when a build fails.

------
amadeus
[firstWorldProtection]Not rMBP optimized. Was painfully obvious to
spot[/firstWorldProtection]

~~~
skeletonjelly
Funnily enough Safari is the only browser that doesn't alert the user about
fullscreen mode. <http://imgur.com/a/jdcI7> (via cfinke)

~~~
robmcm
and even Adobe managed to add warnings to the flash player... Silly Apple

~~~
anonymfus
Adobe has warnings long before first drafts of HTML5 fullscreen API.

------
taejo
> It’s important that the fake OS and browser UI match the user’s system.

Actually, it isn't, at least for some users. More than one member of my family
has fallen for the "your computer has a virus" scams, which use Windows
chrome, on Ubuntu machines.

------
Eisbar
Ultimately I think this can only be solved with an out of band security state
indicator. Otherwise you can never quite believe what you see onscreen. Plenty
of smartphones already have LEDs. Most keyboards don't use the scroll-lock
led.

------
isalmon
It does not work when you open the link in a new tab. The font on the
screenshot is not the same that I have when I go to their website, so that
would alarm me. Otherwise it's pretty clever.

------
fiatpandas
High DPI users may detect something isn't right, since the technique doesn't
take into account DPI setting (the fake firefox bar presented to me was much
smaller than what I'm used to)

------
antsam
Hm. As soon as I clicked it, Firefox (or possibly one of my plugins) gave me a
warning that feross.org was trying to enter into full screen mode.

------
danboarder
Listing the actual URL(s) to be loaded in an "Allow Full Screen?" warning
dialogue would go a long way in addressing this issue.

------
lucian1900
Heh, at first I middle-clicked the link as usual and it took me to the real
website. I was wondering what it's all about.

------
SwaroopH
How about onscreen keyboards? They will still work, right? Funny how they are
supposed to "beef up" security.

------
improv32
Not working for me. Chrome 22.0.1229.92 on Win 8 RTM

It doesn't go full screen at all, it just stays in the window normally.

------
vog
Unfortunately, the site is down:

 _Iceweasel can't establish a connection to the server at www.feross.org._

~~~
feross
Site is still up.

Are you, by chance, using HTTPS Everywhere? I think they have an erroneous
rule about my site which redirects you to <https://> which I no longer
provide.

------
chinchang
I really liked the mario sfx on clicking the browser UI :P neaatt!

------
chayesfss
Very cool proof of concept

------
est
only works if you browse in maximum window browsers.

~~~
hatu
On Chrome 22 (Win 7) it went fullscreen even from a window.

~~~
est
I mean if your browser window if NOT maximum then suddenly your browser is
maximum. You get suspicious.

