A newly disclosed Browser-in-the-Middle (BitM) attack, uncovered as part of the Year of Browser Bugs (YOBB) project, highlights a serious vulnerability in Safari's Fullscreen API implementation. Unlike traditional BitM techniques, this sophisticated attack abuses Safari’s lack of full-screen visual cues, enabling cybercriminals to craft seamless phishing campaigns. The attackers use this flaw to completely obscure malicious URLs, tricking even the most vigilant users into believing they are interacting with legitimate services. When users click on fake interface elements, such as login buttons, the requestFullscreen() method is triggered, initiating the deception.

According to the Researcher, the core of the attack lies in Safari’s design, where entering fullscreen mode is not clearly communicated to the user; only a brief swipe animation is shown, unlike Chrome, Firefox, or Edge, which display explicit fullscreen warnings. This opens the door for threat actors to exploit seemingly harmless user interactions to engage fullscreen mode and deploy fake login screens that replicate authentic sites. These fake interfaces often display convincingly forged address bars, further deceiving users and enabling attackers to harvest login credentials and other sensitive information.

To execute the attack, adversaries use the noVNC remote access framework, which allows an attacker-controlled browser to be rendered inside the victim’s window. Combined with Safari’s full-screen loophole, the attacker’s browser can simulate any interface without revealing the true origin. Since the Fullscreen API specification only requires minimal user interaction, such as a single click, the attack chain is easy to trigger. This method marks a major evolution in phishing techniques, solving a common limitation of earlier BitM attacks—visible malicious URLs.

The implications for enterprise security are severe. Current Endpoint Detection and Response (EDR) solutions, as well as Secure Access Service Edge (SASE) and Security Service Edge (SSE) frameworks, are ineffective against this browser-native attack vector. These tools cannot monitor in-browser activity or detect pixel-based manipulations used in the attack. Despite formal disclosure, Apple has declined to address the issue, citing that Safari’s behavior aligns with design specifications. Security experts now advocate for the deployment of browser-native monitoring tools capable of providing visibility into user interactions within the browser, as traditional defenses are inadequate against such advanced, UI-level threats.