Scaring people with fullScreen. Unsurprisingly, you can work around the “Press Esc to exit full screen mode” message in Flash by distracting the user with lots of similar looking visual noise. This opens up opportunities for cunning phishing attacks that simulate the chrome of the entire operating system. EDIT: Comments point out that text entry via the keyboard is still disabled, limiting the damage somewhat.
Sign in with 
OpenID
This sort of attack is IMHO one of the few good reasons for "skinnable" OS-level UIs. It's a lot easier when the attacker can predict with near-certainty what a "real" OS message would look like.
Mike - 3rd June 2008 01:23 - #
Note that Flash disables keyboard input while in fullscreen mode, so while a phishing attack would still be possible (i.e. displaying a visual keyboard for text input using the mouse) it reduces the risk of trivial methods such as mimicking OS level dialogs.
gwint - 3rd June 2008 03:19 - #
As gwint said, phishing attacks are pretty much ruled out because the keyboard is disabled. The Flash Player team were also careful to ensure that you can't trigger full-screen mode automatically - it can only be done through user interaction.
See the Security section of http://www.adobe.com/devnet/flashplayer/articles/f ull_screen_mode.html for more information.
Steve Webster - 3rd June 2008 08:55 - #