When the standard was being ratified, this came up on the mailing list (I can't find the link right now, I am on my cell).
The solution was that to recommend vendors print warning labels across the top or add a layer of permissions around the feature - which Chrome and Safari have done.
for eg. when I open it I get a message saying 'Chrome is currently in fullscreen mode'. They will likely both also add permission boxes similar to when the browser requests your location.
It is good for developers to understand this, though, but I wouldn't say that the spec is broken, or that this is a bad feature, it can be implemented securely and with warnings. Anti-phishing education for users should involve primarily talking about not trusting links anywhere and typing in the address directly.
> User agents should ensure, e.g. by means of an overlay, that the end user is aware something is displayed fullscreen. User agents should provide a means of exiting fullscreen that always works and advertise this to the user. This is to prevent a site from spoofing the end user by recreating the user agent or even operating system environment when fullscreen. See also the definition of requestFullscreen().
> To prevent embedded content from going fullscreen only embedded content specifically allowed via the allowfullscreen attribute of the HTML iframe element will be able to go fullscreen. This prevents untrusted content from going fullscreen.
I am most familiar with Safari and Chrome (have been meaning to get up-to-date with Firefox, which has had a lot of good work put into it) but all of the major browser vendors have done something around this in their own way with both desktop and mobile releases.
It is at the discretion of each vendor how they implement security warnings or settings around full screen mode. They all have slightly different implementations but the end result is that they go some way towards preventing a phishing attack using Fullscreen.
That said, it was a good idea to bring this issue to the attention of developers and users as a potential attack vector and as a demonstration of why the security dialogs are important.
Edit II: The whatwg thread where the security considerations are discussed begins here:
Firefox does it too, and in a much more obvious way than either Chrome or Safari. Here are all the latest browsers on Mac compared: http://imgur.com/a/jdcI7 (Sorry Opera; I haven't re-installed you yet.)
I actually didn't get any permissions dialog or warning label in Safari 6; maybe I ok'd it for another site at some point in the past, but I definitely didn't whitelist this domain.
>The first post rightly points out that Flash had the feature implemented in a non-secure manner for a long time.
Flash disabled all "printing" keys in full-screen mode, and disabled a warning label when entered into the mode. FS could only be entered from user action. So Flash's full-screen mode was limited but fairly secure.
Why do we need a JavaScript based API for this anyway? Wouldn't it be MUCH better to allow websites detect when user presses F11 instead? It's not just about security, it's about managing expectations and familiar UI.
However, most users (even experienced users) don't look at the url when visiting information-sensitive websites and www.bankofamerica.fsh4.com would still not alarm them. They don't understand the SSL icon either.
There was an interesting research a few years ago regarding the SSL icon. Since in many users the idea is actually finely-ingrained that a padlock means security on a website they just made the favicon into a lock. A surprisingly large number of users was fooled by that.
I guess the "padlock means secure" has been superceded a little by "address bar is green somewhere" by now, but the problem remains the same.
That's not what's happening here though. The JS in the demo doesn't change the href attribute of the link, it just adds an event handler that prevents the real link from loading using e.preventDefault() and then triggers full screen.
This was really annoying for me because somehow the google redirect link took a lot longer to load than the ultimate destination would, or even regular google pages.
The demo you've put together is very nice. It even accounts for the different UI styling of individual browsers. However in all cases that the link worked, I received a very large warning that has to be manually dismissed.
This is not a rhetorical question; do you think people would ignore the warning and continue to use the site?
An easier phishing technique would be to manipulate the address to appear legitimate using pushState.
"do you think people would ignore the warning and continue to use the site?"
I actually made this demo back in April but just got around to posting about it now. In the meantime, Firefox and Chrome have made their warning messages more prominent. Still, I think it's a pretty major issue.
Experienced web users won't be fooled by something like this. But, even if 1% of users are fooled by this technique, that's still potentially thousands of innocent web users, which I think is unacceptable.
do you think people would ignore the warning and continue to use the site?
Absolutely. My eyes were opened to that when I was troubleshooting my father's webcam over the phone. It kept not working when everything looked like it should. He just failed to let me know about the alert that kept popping up that said "camera is locked by <foo>". Instead, without reading, he just hit the "X", even though I was asking for every step he was performing. Closing a rogue alert isn't even a "step" to most people.
If you are relying on dialogs to keep your users safe, you are doing it wrong. Unfortunately, I don't know what the right answer here is.
That's clever. It was pretty obvious to me, since I run Chrome in presentation mode (no UI elements visible) and Chrome popped up a dialog box telling me about the switch to full-screen mode. Still, I can see how a lot of people could be tricked by this. I can't think of a better solution than extant phishing site blacklists.
Full-screen mode can be useful, but it and other HTML5 features can be used for phishing or to generally annoy users. I'm wondering how soon it will be before someone makes the HTML5-equivalent of ClickToFlash.
NoScript already inherently blocks this, and even if you allow the domain that provides the script that tries to go full-screen, and allow the full-screen transition, the web page pretending to be a desktop doesn't cover the NoScript toolbar that's still prompting for permissions on the other domains. I suspect the anti-clickjacking measures would kick in if the phishing site tried to incorporate the real site as a base layer.
NoScript does not seem to have any features targeted directly at HTML5 fullscreen, though.
IMO this is why the constant pushing of the browser as a platform is more trouble than it's worth. Everything that your OS does now will be re-invented (badly, several times) in one or more of the different web-browsers, lost, found, queried in triplicate, standardised before finally being recycled as firelighter when the next "paradigm shift" takes over.
You're being a bit disingenuous by not mentioning the inbuilt protections that the HTML5 Fullscreen API offers.
"Also, any alphanumeric keyboard input while in full-screen mode causes a warning message to appear; this is done to help guard against phishing attacks. The following keys are the only ones that don't cause this warning message to appear (...)"
That documentation is out-of-date. There were no warnings on keyboard input in Firefox or Chrome. I went fullscreen on a Facebook photo and was able to leave a comment without any issues.
Safari, on the other hand, appears to prevent keyboard input, which I just recently found out.
Its really annoying and alarming to hear technical people rebut this with "Well I could tell the difference because I noticed my browser changed and my super customized desktop settings weren't reproduced, and plus it says "now in full screen mode", etc.". Its alarming because this type of response just goes to show that the people creating things for the web are so completely out of touch with real users. There's this weird idea among developers that users know how to use technology just like we do when in fact they don't even know which website handles their email half the time, think Google is the internet, use the browser search bar to type full URLs even though the actual address bar is 10 pixels to the left, and will blame you for giving them a virus because you changed their desktop wallpaper and not because of all those shady links to foreign lotteries they were clicking in their email which they were lucky to find in the first place.
Yeah, you can tell the difference. I could tell the difference. Yes it was very obvious even though the demo was very accurate in reproducing my browser's chrome. But the rest of the world is nothing like us. Feross says 10% will be tricked. I think that's a very conservative estimate. I wouldn't be surprised is the numbers went above 50%. If this sort of attack becomes common then I bet you anything that the majority of users will be tricked just because full screen is not very common. You'll say full screen is common but again, you're thinking of people just like you who are in the minority. Most people have never seen a website in full screen mode. Even with Facebook's full screen option it doesn't mean your parents are clicking that option or have even noticed it yet.
I'm actually building an app currently that greatly benefits from the full screen API and I really hope vendors don't start putting more restrictions on it. Instead I'm hoping there's a way to make full screen more common in legitimate ways, get users used to full screen mode so they are aware of it and know what the little "Now in full screen mode" dialog means. Sure, people will still get tricked but I'd bet it would be in far less numbers and that 10% figure Feross throws out there might become more realistic.
A similar issue was shown when Adobe Flash fullscreen was first introduced (I think it was just Macromedia at the time, but anyway).
When you went to fullscreen in flash, it printed a giant "you are now in fullscreen mode" in the middle of the screen, but somebody showed that simply by printing similar text all over your screen, it hid that warning very well.
I think the "Door Study" [1] was the best part! It's hilarious, and horrible that the guy didn't notice the swap. Maybe I've just lived in a big city long enough that I'm not surprised by the World Famous Bushman [2] or people's swindling.
I was thinking the door-guy-swap footage where the victim noticed the swap must be perfect material for "Just for Laughs" [1]. Inversely, the "failed" Just for Laughs-material where the victims don't react must be perfect research material.
Great job! But originally, I opened that link in a new tab while I was still reading the article. It obviously did not work :P I've this habit of opening most links in a new tab!
Same here. I have an addiction to opening everything remotely interesting in a new tab, and my initial reaction was "I don't think this worked?"
Otherwise, it's pretty frightening, because I can imagine that in spite of the browser warnings, there are many non-savvy users who probably wouldn't give it a second thought.
As a KDE user, the blatant Gnome UI was kind of glaring but otherwise well done. ;)
Firefox has a big warning that asks permission and dims the background, making it difficult to use until you select allow or deny, so it won't work as well with Firefox.
Chrome 23 just makes it full screen with a small notice.
The latest version of Safari shows no warning on fullscreen, making users very vulnerable. The only indication is a short, half-second animation (it's much shorter than the usual OS X fullscreen animation). After that, there's no indication that you're in fullscreen mode.
There will always be ways of exploiting things like this.
Perhaps the solution could be to handle this at the network level. In other words create what is effectively a "personal information firewall" built into the browser.
Have the browser detect when certain information is about to be send over the network, it would need to be checked prior to being passed to SSL. Things that fit formats like CC numbers or authorisation codes for banks. There could then be a prompt appear on top of all active windows saying "A CC number is about to be sent to xxx" Allow/Deny.
I suppose this would be difficult because phishers could re-encode data using JS into some other format before it is sent. So you would need some of mapping keyboard inputs to networking events.
Wow Feross. Another sweet demo. I still feel like there is so much to learn about security, but what I am always amazed at is that the "social engineering" attacks seem to be the problems that we can never solve. Yes, there is a technical component (HTML5 full screen api), but at its core this is a phishing attack, a "fool the user" attack, and not an actual technical security flaw.
Basically, if I wasn't paying attention, I feel like this was good enough to fool me. What can be done to save the casual, but maybe unfortunately inept internet user?
I once sent a letter to Steve Jobs saying that the MacOS (and other operating systems) were susceptible to phishing by applications, which would simply present a dialog that looks very much like the System Security dialog, and thereby gain the user's root password.
The solution is to have an area where only the operating system can draw (and which cannot be screen-captured, the same way Apple currently does with DRM movies). In this area, the system would present to the user a phrase which the user selected when setting up their account. This would prevent phishing, as users would be trained to look for the phrase (and / or icon ... the reason you can't have an icon alone is because the phisher could get it right 1 out of N times).
Now, on the web there is a similar thing you can do! When someone places KEYBOARD FOCUS in your password box, and starts typing the correct password, you display the icon + phrase that you previously selected when setting up your account. If the phrase doesn't pop up or is different, you know you're being phished.
THIS is a great way to stop phishing on the web. Anyone impersonating you will not know what phrase to display. Only by starting to type the correct pass phrase will they get this information. On the other hand, they won't be able to place anything fake over the password input box and capture your input, because the phrase only appears when you type IN the password input box, which the attacker can't get to, thanks to the cross-domain security in browsers!
On linux it tries to emulate Ubuntu with default settings, while I have Cinnamon and different theme and fonts, different user name. Didn't terrify me.
I am not sure why this is on Github? Typically, I applaud when anything is shared on Github. But why this? What positive value is it to anyone other then script kiddies?
(Certainly, most any adequate web developer with nefarious intensions would be able to reproduce this quite easily. But why make it point-and-click easy for them?)
[+] [-] nikcub|13 years ago|reply
The solution was that to recommend vendors print warning labels across the top or add a layer of permissions around the feature - which Chrome and Safari have done.
for eg. when I open it I get a message saying 'Chrome is currently in fullscreen mode'. They will likely both also add permission boxes similar to when the browser requests your location.
It is good for developers to understand this, though, but I wouldn't say that the spec is broken, or that this is a bad feature, it can be implemented securely and with warnings. Anti-phishing education for users should involve primarily talking about not trusting links anywhere and typing in the address directly.
Edit: Here it is from the Spec:
http://dvcs.w3.org/hg/fullscreen/raw-file/tip/Overview.html#...
> 7. Security and Privacy Considerations
> User agents should ensure, e.g. by means of an overlay, that the end user is aware something is displayed fullscreen. User agents should provide a means of exiting fullscreen that always works and advertise this to the user. This is to prevent a site from spoofing the end user by recreating the user agent or even operating system environment when fullscreen. See also the definition of requestFullscreen().
> To prevent embedded content from going fullscreen only embedded content specifically allowed via the allowfullscreen attribute of the HTML iframe element will be able to go fullscreen. This prevents untrusted content from going fullscreen.
I am most familiar with Safari and Chrome (have been meaning to get up-to-date with Firefox, which has had a lot of good work put into it) but all of the major browser vendors have done something around this in their own way with both desktop and mobile releases.
It is at the discretion of each vendor how they implement security warnings or settings around full screen mode. They all have slightly different implementations but the end result is that they go some way towards preventing a phishing attack using Fullscreen.
That said, it was a good idea to bring this issue to the attention of developers and users as a potential attack vector and as a demonstration of why the security dialogs are important.
Edit II: The whatwg thread where the security considerations are discussed begins here:
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2009-Dec...
The first post rightly points out that Flash had the feature implemented in a non-secure manner for a long time.
[+] [-] cfinke|13 years ago|reply
Firefox does it too, and in a much more obvious way than either Chrome or Safari. Here are all the latest browsers on Mac compared: http://imgur.com/a/jdcI7 (Sorry Opera; I haven't re-installed you yet.)
I actually didn't get any permissions dialog or warning label in Safari 6; maybe I ok'd it for another site at some point in the past, but I definitely didn't whitelist this domain.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] macspoofing|13 years ago|reply
Flash disabled all "printing" keys in full-screen mode, and disabled a warning label when entered into the mode. FS could only be entered from user action. So Flash's full-screen mode was limited but fairly secure.
[+] [-] romaniv|13 years ago|reply
[+] [-] jeswin|13 years ago|reply
However, most users (even experienced users) don't look at the url when visiting information-sensitive websites and www.bankofamerica.fsh4.com would still not alarm them. They don't understand the SSL icon either.
[+] [-] ygra|13 years ago|reply
I guess the "padlock means secure" has been superceded a little by "address bar is green somewhere" by now, but the problem remains the same.
[+] [-] damncabbage|13 years ago|reply
(It's only when you click the link does it muck around with the DOM to insert the google.com/... redirect link.)
[+] [-] guelo|13 years ago|reply
[+] [-] peterjmag|13 years ago|reply
[+] [-] ben0x539|13 years ago|reply
[+] [-] feross|13 years ago|reply
[+] [-] andrewfelix|13 years ago|reply
This is not a rhetorical question; do you think people would ignore the warning and continue to use the site?
An easier phishing technique would be to manipulate the address to appear legitimate using pushState.
[+] [-] feross|13 years ago|reply
I actually made this demo back in April but just got around to posting about it now. In the meantime, Firefox and Chrome have made their warning messages more prominent. Still, I think it's a pretty major issue.
Experienced web users won't be fooled by something like this. But, even if 1% of users are fooled by this technique, that's still potentially thousands of innocent web users, which I think is unacceptable.
[+] [-] SoftwareMaven|13 years ago|reply
Absolutely. My eyes were opened to that when I was troubleshooting my father's webcam over the phone. It kept not working when everything looked like it should. He just failed to let me know about the alert that kept popping up that said "camera is locked by <foo>". Instead, without reading, he just hit the "X", even though I was asking for every step he was performing. Closing a rogue alert isn't even a "step" to most people.
If you are relying on dialogs to keep your users safe, you are doing it wrong. Unfortunately, I don't know what the right answer here is.
[+] [-] AngryParsley|13 years ago|reply
Full-screen mode can be useful, but it and other HTML5 features can be used for phishing or to generally annoy users. I'm wondering how soon it will be before someone makes the HTML5-equivalent of ClickToFlash.
[+] [-] wtallis|13 years ago|reply
NoScript does not seem to have any features targeted directly at HTML5 fullscreen, though.
[+] [-] skeletonjelly|13 years ago|reply
[+] [-] jrabone|13 years ago|reply
IMO this is why the constant pushing of the browser as a platform is more trouble than it's worth. Everything that your OS does now will be re-invented (badly, several times) in one or more of the different web-browsers, lost, found, queried in triplicate, standardised before finally being recycled as firelighter when the next "paradigm shift" takes over.
[+] [-] jmitcheson|13 years ago|reply
"Also, any alphanumeric keyboard input while in full-screen mode causes a warning message to appear; this is done to help guard against phishing attacks. The following keys are the only ones that don't cause this warning message to appear (...)"
(https://developer.mozilla.org/en-US/docs/DOM/Using_full-scre...)
The article and demo are nice though. Good work.
[+] [-] feross|13 years ago|reply
Safari, on the other hand, appears to prevent keyboard input, which I just recently found out.
[+] [-] bpatrianakos|13 years ago|reply
Yeah, you can tell the difference. I could tell the difference. Yes it was very obvious even though the demo was very accurate in reproducing my browser's chrome. But the rest of the world is nothing like us. Feross says 10% will be tricked. I think that's a very conservative estimate. I wouldn't be surprised is the numbers went above 50%. If this sort of attack becomes common then I bet you anything that the majority of users will be tricked just because full screen is not very common. You'll say full screen is common but again, you're thinking of people just like you who are in the minority. Most people have never seen a website in full screen mode. Even with Facebook's full screen option it doesn't mean your parents are clicking that option or have even noticed it yet.
I'm actually building an app currently that greatly benefits from the full screen API and I really hope vendors don't start putting more restrictions on it. Instead I'm hoping there's a way to make full screen more common in legitimate ways, get users used to full screen mode so they are aware of it and know what the little "Now in full screen mode" dialog means. Sure, people will still get tricked but I'd bet it would be in far less numbers and that 10% figure Feross throws out there might become more realistic.
[+] [-] borlak|13 years ago|reply
When you went to fullscreen in flash, it printed a giant "you are now in fullscreen mode" in the middle of the screen, but somebody showed that simply by printing similar text all over your screen, it hid that warning very well.
[+] [-] hatu|13 years ago|reply
[+] [-] blaines|13 years ago|reply
[1] http://www.youtube.com/watch?v=FWSxSQsspiQ&feature=playe...
[2] http://en.wikipedia.org/wiki/World_Famous_Bushman
[+] [-] geon|13 years ago|reply
[1] http://www.youtube.com/watch?v=662KGcqjT5Q
[+] [-] sesqu|13 years ago|reply
[+] [-] feross|13 years ago|reply
[+] [-] yati|13 years ago|reply
[+] [-] Zancarius|13 years ago|reply
Otherwise, it's pretty frightening, because I can imagine that in spite of the browser warnings, there are many non-savvy users who probably wouldn't give it a second thought.
As a KDE user, the blatant Gnome UI was kind of glaring but otherwise well done. ;)
[+] [-] jpxxx|13 years ago|reply
[+] [-] tlrobinson|13 years ago|reply
I certainly wouldn't be tricked by this, but someone less technically savvy could be.
[+] [-] chaud|13 years ago|reply
Chrome 23 just makes it full screen with a small notice.
[+] [-] mistercow|13 years ago|reply
[+] [-] feross|13 years ago|reply
[+] [-] jiggy2011|13 years ago|reply
Perhaps the solution could be to handle this at the network level. In other words create what is effectively a "personal information firewall" built into the browser.
Have the browser detect when certain information is about to be send over the network, it would need to be checked prior to being passed to SSL. Things that fit formats like CC numbers or authorisation codes for banks. There could then be a prompt appear on top of all active windows saying "A CC number is about to be sent to xxx" Allow/Deny.
I suppose this would be difficult because phishers could re-encode data using JS into some other format before it is sent. So you would need some of mapping keyboard inputs to networking events.
[+] [-] eslaught|13 years ago|reply
[1]: http://cseweb.ucsd.edu/~lerner/papers/pldi09-sif.pdf
[+] [-] w00kie|13 years ago|reply
[+] [-] esolyt|13 years ago|reply
[+] [-] jkeesh|13 years ago|reply
Basically, if I wasn't paying attention, I feel like this was good enough to fool me. What can be done to save the casual, but maybe unfortunately inept internet user?
[+] [-] feross|13 years ago|reply
"What can be done to save the casual, but maybe unfortunately inept internet user?"
That's a really good question and unfortunately I don't think anyone has a good answer.
[+] [-] EGreg|13 years ago|reply
The solution is to have an area where only the operating system can draw (and which cannot be screen-captured, the same way Apple currently does with DRM movies). In this area, the system would present to the user a phrase which the user selected when setting up their account. This would prevent phishing, as users would be trained to look for the phrase (and / or icon ... the reason you can't have an icon alone is because the phisher could get it right 1 out of N times).
Now, on the web there is a similar thing you can do! When someone places KEYBOARD FOCUS in your password box, and starts typing the correct password, you display the icon + phrase that you previously selected when setting up your account. If the phrase doesn't pop up or is different, you know you're being phished.
THIS is a great way to stop phishing on the web. Anyone impersonating you will not know what phrase to display. Only by starting to type the correct pass phrase will they get this information. On the other hand, they won't be able to place anything fake over the password input box and capture your input, because the phrase only appears when you type IN the password input box, which the attacker can't get to, thanks to the cross-domain security in browsers!
[+] [-] pbhjpbhj|13 years ago|reply
[+] [-] cdi|13 years ago|reply
[+] [-] antihero|13 years ago|reply
[+] [-] joekrill|13 years ago|reply
[+] [-] boop|13 years ago|reply
(Certainly, most any adequate web developer with nefarious intensions would be able to reproduce this quite easily. But why make it point-and-click easy for them?)