Latest news with #YearofBrowserBugs
Techday NZ
2 days ago
- Techday NZ
Exclusive: SquareX's Audrey Adeline on why the browser is 'the new endpoint'
The browser is the new battleground. That's the message from Audrey Adeline of cybersecurity company SquareX, who has launched a practical Browser Detection and Response Manual to help organisations understand and defend against attacks in what she calls "the most used app on your device." "Eighty per cent of the time spent on a device is now in the browser," she explained to TechDay during a recent interview. "Yet it's one of the least protected surfaces in cybersecurity." Unveiled at the RSA Conference (RSAC'25) earlier this year, the manual has struck a chord with security leaders worldwide, selling out quickly and prompting strong feedback. The manual, written by Audrey Adeline and Vivek Ramachandran is titled: 'The Browser Security Field Manual'. "We were one of the top-selling books at the RSA bookstore," Adeline said. "A lot of CISOs reached out to us afterwards to say it helped their teams rethink browser security." Originally from Indonesia, Adeline's own path into tech was unconventional. "I grew up in a very traditional economy. Most of my family ran consumer businesses - nobody was in STEM," she said. After studying biochemistry at Cambridge and working in cancer research, she pivoted into consulting, and eventually joined Sequoia to evaluate tech companies, including cybersecurity firms. Her passion for deep tech and research led her to SquareX, where she now leads the Year of Browser Bugs (YOBB) project, uncovering browser-based architectural vulnerabilities each month. These include high-profile exploits like polymorphic extensions, which can impersonate legitimate browser tools like password managers and crypto wallets. "The danger is users don't realise they're entering credentials into a fake extension," Adeline explained. "These are architectural issues that legitimate browser features enable, and they're much harder to detect or patch." That urgency drove the creation of the manual. "We kept seeing the same problem - people using the browser constantly, but having very little visibility or protection," she said. "Existing tools just don't give you a clear picture of how the breach occurred." The manual's first edition is now being followed by a second, set for release at DEF CON and Black Hat in August. It will feature commentary from CISOs at Fortune 500 companies to ground the guidance in real-world enterprise experience. "We didn't want to just make it theoretical," Adeline said. "Each chapter now includes perspectives on actual problems faced by security teams." Access to the manual is currently via request form, though Adeline said digital availability is expected closer to August. Developing the manual was not without challenges. "The biggest hurdle was the lack of consolidated resources," she said. "There's research out there, but it's scattered. We had to pull together a lot of primary sources and make it digestible - from beginner concepts to advanced attacks." Browser-based threats have spiked recently, with attackers targeting the browser as the new endpoint for enterprise data. "Think about it," she said. "We don't download files anymore. Our files, apps, identities - everything is now in the browser. It's where 60 to 70 per cent of enterprise data lives." Adeline warned that the shift in attacker behaviour is permanent. "It's not just a trend. There's a fundamental change in how we work, and attackers are following the data." To help teams assess their own posture, SquareX has also launched a free browser attack testing tool. "Seeing is believing," she said. "You can test against 49 different browser-based attacks and see which ones bypass your current solutions." She sees two main approaches to browser defence: dedicated secure browsers, or solutions like SquareX's browser extension, which converts any existing browser into a secure one. "Most organisations can't migrate everyone to a new browser," she said. "Extensions are more practical, and updates are seamless." SquareX positions itself as the EDR for the browser, focusing on detection and response at a granular level. "We're obsessed with user experience. You can't compromise productivity just to get security," she said. The company's design avoids the risks of dedicated browsers, which often lag behind on security patches. "Every time Chrome issues a patch, those browsers need to be updated manually. That creates a gap where zero-days can thrive," she explained. Future plans include a red team edition of the manual and continuous updates as attacks evolve. "I wouldn't be surprised if there are multiple versions by next year," Adeline said. Her advice to security leaders just waking up to the browser as a threat vector is clear: "You need browser-native security to tackle browser-native threats." Adeline believes the industry must go beyond reacting to breaches and start anticipating them. "The best defence is understanding what attackers are doing," she said. "You can't just play catch-up." For her, the inclusion of peer input in the manual is crucial. "Security leaders want to hear from their peers. They need validation that this is a permanent shift, not a passing concern," she said. Asked what's changed to make browsers such a prime target now, Adeline points to a confluence of technology and behaviour. "Chrome has added countless new features like WebAssembly and WebRTC. These make browsers powerful enough to replace local apps," she explained. "Since COVID, we've seen everything move online. Now attackers are simply going where the data is." "The browser is the new endpoint," she said. "It's where we work - and where we're vulnerable."
Techday NZ
30-05-2025
- Techday NZ
Safari users at heightened risk from new fullscreen BitM attack
SquareX has released new threat research detailing an advanced Browser-in-the-Middle (BitM) attack that specifically targets users of the Safari browser. The research, conducted as part of the Year of Browser Bugs (YOBB) project, outlines the method by which BitM attacks deceive individuals into providing sensitive credentials by presenting fake login pages in the victim's browser through a pop-up window controlled by the attacker. Traditionally, one limitation of BitM attacks has been the continued visibility of the malicious URL in the parent window, which could alert security-conscious users to the threat. SquareX's research identifies a vulnerability in Safari's implementation of the Fullscreen API that attackers can exploit to make the attack more convincing and difficult to detect. According to the team, "When combined with BitM, this vulnerability can be exploited to create an extremely convincing Fullscreen BitM attack, where the BitM window opens up in fullscreen mode such that no suspicious URLs from the parent window is seen. Safari users are especially vulnerable to this attack as there is no clear visual indicator of users entering fullscreen." The researchers added, "We have disclosed this vulnerability to Safari and were regrettably informed that there is no plan to address the issue." The Fullscreen API, as currently specified, requires only that "the user has to interact with the page or a UI element in order for this feature to work." However, it does not detail what type of interaction is necessary. Attackers can thus embed any clickable element, such as a fake login button, in the pop-up which triggers fullscreen mode, convincingly mimicking a legitimate login page with the real URL in the address bar. SquareX's researchers warned: "The Fullscreen BitM attack highlights architectural and design flaws in browser APIs, specifically the FullScreen API. Users can unknowingly click on a fake button and trigger a fullscreen BitM window, especially in Safari where there is no notification when the user enters fullscreen mode." "Users that typically rely on URLs to verify the legitimacy of a site will have zero visual cues that they are on an attacker-controlled site. With how advanced BitM is becoming, it is critical for enterprises to have browser-native security measures to stop attacks that can no longer be visually identified by even the most security aware individuals." While BitM attacks have generally been used to steal login credentials, session tokens, and SaaS application data, the fullscreen variant described in SquareX's research further increases the risks by making detection by ordinary users extremely difficult. The attack could extend to spreading misinformation via fake pages designed to resemble official government sites, as well as gathering personally identifiable information (PII) and company data. Attackers could also open new tabs within the attacker-controlled window, gaining further insight into the victim's browsing activities. Other browsers, including Firefox, Chrome, Edge, and Chromium-based ones, are also technically susceptible to the Fullscreen BitM attack. These browsers do issue a notification when fullscreen mode is activated, but the warning is described as subtle and easily overlooked. Dark mode and modified colour schemes can make the notification even less noticeable. In contrast, Safari only shows a brief swipe animation with no explicit messaging, which increases user vulnerability. The research states that endpoint detection and response solutions lack the capability to monitor activity within the browser itself, rendering them ineffective against both standard and fullscreen BitM attacks. According to SquareX, "EDRs have zero visibility into the browser and are proven to be obsolete when it comes to detecting any BitM attack, much less its more advanced fullscreen variant. Additionally, orchestrating the attack with technologies such as remote browser and pixel pushing will also allow it to bypass SASE/SSE detection by eliminating any suspicious local traffic." The researchers assert that security tools are currently unable to detect or mitigate Fullscreen BitM attacks due to the lack of access to detailed browser metrics. "As phishing attacks become more sophisticated to exploit architectural limitations of browser APIs that are either unfixable or will take significant time to fix by browser providers, it is critical for enterprises to rethink their defense strategy to include advanced attacks like Fullscreen BitM in the browser," the research team stated. SquareX's disclosure of the Fullscreen BitM attack is part of its ongoing initiative to highlight browser vulnerabilities and architectural limitations as browser-based attacks continue to evolve. Previous disclosures under the Year of Browser Bugs project have addressed threats such as Browser Syncjacking, Polymorphic Extensions, and Browser-Native Ransomware.
