Monday, October 15, 2012

Phishing Attacks Using the HTML5 Fullscreen API

11:14 PM  , , , , ,  1 comment

Feross Aboukhadijeh (developer of www.ytinstant.com) was developed a Phishing  concept using HTML 5 FullScreen Api

Credit: http://feross.org

 

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (http://en.wikipedia.org/wiki/Phishing)
                                    
Many of the people associate phishing via e-mail  that mimic , banks, credit card companies. These messages look authentic and attempt to get victims personal information.

HTML 5 Full Screen API- 


 The HTML 5 Full screen API  allows  developers show web content that fills  the user’s screen completely. eg: watch a fullscreen video on YouTube.

Feross explain how this  API can works, by  hide the interface elements of the users' browser.
Most of the browsers have  user-triggerable full-screen functionality . The HTML5 Fullscreen API is differ from this. this  allows the web developer to access the  same functionality ,  trigger it programmatically. 
Eg : elementToMakeFullscreen.requestFullScreen();

Developer can trigger full screen when user clicks on a link or button .

Eg: Trigger Full screen using Jquery 
$('#button').on('click', function() {
  var doc = document.documentElement;
  if (doc.requestFullscreen) {
    doc.requestFullscreen();
  }
});
Browser Notification.
Apple's Safari browser, version 6.01 and later no sign ( little ) that full-screen  activated or not. 
Google Chrome, version 22 and later some notice.



Mozilla Firefox, version 10 and later, alerts the user with a conspicuous notification.

 



Phishing Using FullScreen Api

Look at the link given bellow
kerala-techies.blogspot.com
The user can check  the link , will show www.kerala-techies.blogspot.com , as expected its good but when you click on the link  the developer (hacker) can call event.preventDefault() to prevent the default action ie  navigating to the link and able to trigger  fullscreen,  and mimic the browser , OS  and go to the fake page . This fake page look like same as the original with a green padlock for HTTPS.

Credit: http://feross.org
$('html').on('click keypress', 'a', function(event) {

  // Prevent navigation to legit link
  event.preventDefault();
  event.stopPropagation();

  // Trigger fullscreen
 

  // Show fake OS and browser UI
  $('#menu, #browser').show();

  // Show fake target site
  $('#target-site').show();
});

Full Source Code

Credit: http://feross.org
DEMO

 

The content of - Phishing Attacks Using the HTML5 Fullscreen API in Kerala Techies  has taken from Various Sources  and Analysis of our Team. This Information given by Kerala Techies.

1 comments:

Subscribe to: Post Comments (Atom)