A flaw in Apple’s Safari browser is allowing attackers to deceive users using a rather stealthy technique: displaying fake pages in full-screen mode to steal data such as passwords or personal information.
How does it work? Attackers exploit a browser feature that allows any website to trigger full-screen mode. When activated, key elements like the address bar are hidden, giving attackers the ability to display a fake page that looks identical to a legitimate site, such as your bank or social media platform. In this manipulated environment, the victim unknowingly enters their data directly into the attacker’s hands.
What’s especially concerning is that Safari, unlike other browsers, does not clearly warn users when a page switches to full-screen mode. This makes the attacks much more believable and harder for the average user to detect.
Recently, there has been an increase in this kind of digital deception, particularly targeting Safari users. Attackers have even managed to completely cover the browser interface with a fake window that fully hides the address bar, making it even more difficult to determine whether you're on the legitimate site or not.
How Does a BitM Attack Work?
A Browser-in-the-Middle (BitM) attack is a particularly crafty way of deceiving users. Essentially, the attacker makes you interact with a browser that they control remotely, while you believe you're on a legitimate page—like your bank or email service.
The attacker-controlled browser opens a legitimate Steam login page in a BitM attack (Source: SquareX)
To achieve this, attackers use tools like noVNC, which allow them to open a remote browser directly within your session. It's as if you're using a regular browser, but in reality, you're viewing and interacting with the attacker's browser.
What's most concerning is that when you enter your credentials—such as your username and password—the attacker instantly captures them. At the same time, they let you log into your account, so you don’t suspect anything is wrong because everything appears to work as expected.
Of course, they first need to lure you to that fake site. They usually do this through a malicious link, which can appear in an ad, a social media post, or even an innocent-looking comment. If you click on it, you fall into the trap.
Promotion of a Fake Figma Website Through Sponsored Ads
Read more: Victoria's Secret Takes Down Website Following Cyberattack
The Full-Screen Trick
This type of deception relies on something very simple: full-screen mode. When users don’t clearly see the URL—either because they’re already in full-screen or simply aren’t paying attention—and click the login button, that’s when the problem begins.
Behind the scenes, there’s a hidden window (controlled by the attacker) that activates at that moment. It was minimized, but when the user clicks, it opens in full-screen mode and completely covers what the user was originally viewing, displaying instead what appears to be the legitimate site.
From the user's perspective, everything seems normal—they're on their usual page, everything looks right... but in reality, they're interacting with a fake version layered over a window manipulated by the attacker.
What’s especially concerning is that this type of attack doesn’t trigger alerts in many security tools like EDR or SASE/SSE, because it exploits legitimate browser functions, not malware.
There is, however, a small glimmer of hope: browsers like Firefox, Chrome, and Edge display a warning when a site enters full-screen mode. Many users may ignore or overlook it, but that alert does exist and, while not perfect, it helps reduce the risk of falling for these types of traps.
Full-Screen Mode Warning Message in Firefox (left) and Chrome (right)
The issue with Safari is that it doesn’t display any clear warning when a page enters full-screen mode. The only thing the user sees is a quick animation, like a “slide,” which can be easily overlooked if you're not paying close attention.
While this type of attack can work on other browsers, it’s far more convincing and dangerous in Safari precisely because there are no obvious visual cues to indicate the switch to full-screen. In other browsers like Chrome or Firefox, at least a visible alert appears—even if users don’t always pay attention to it.
The researchers who discovered this flaw reported it to Apple, but the response they received was that no changes are planned. According to Apple, the existing animation should be enough to alert users… although clearly, it isn’t for most people. So far, no further official response has been provided.
