Progressive Web Apps (PWAs) Phishing (opens in new tab)

(mrd0x.com)

132 pointskolp1y ago39 comments

39 comments

What's the difference between this and just having a button on your website that redirects to a spoof microsoft login page?

codetrotter1y ago

Because this one makes it look like there’s a url bar with a Microsoft domain

ajross1y ago

No it doesn't. You need to fool the user into installing an app that loads from your own domain. Now that obviously isn't impossible, but it requires getting the user to ignore or be mislead by the clearly-displayed URL in the web page and/or installer UI.

As the commenter upthread conjectured, this is indeed perfectly isomorphic to fooling a user into loading and interacting with a faked web page. That's a real threat! But it's clearly not a new threat with PWAs and IMHO this article is mostly just spun clickbait. This isn't remotely a novel vulnerability.

felipc1y ago

Nope, it's much more insidious than that. The user is already on your website, which could be a legitimate website with a malicious owner.

If you look at the screenshot, it's a perfectly valid interpretation for a non tech-savvy user to interpret that as "realhealthysnacks is asking me to install a legitimate Microsoft application".

Now change the simplified example for a real one from a SaaS product login page with several "Login with ..." buttons, and one of them triggers this.

1 more reply

strictnein1y ago

> But it's clearly not a new threat with PWAs and IMHO this article is mostly just spun clickbait. This isn't remotely a novel vulnerability.

This isn't "clickbait". This author is a known security researcher. The word "new" or "novel" doesn't occur in the writeup. They are simply documenting how something works.

They've been writing about this type of thing for years now.

oneepic1y ago

I'm not a security pro, but the claim about "spun clickbait" doesn't hold for me. I thought it was new to me, and an attack possibility that I hadn't considered before reading. I do think I "validate" sites pretty well before doing any serious things there (logins, transactions, etc).

1 more reply

ffpip1y ago

A PWA can have the familiar "Sign in with google" button now, which pops up a similar page as shown in the article, but with accounts.google.com in the fake URL bar.

josephcsible1y ago

Being a PWA lets you hide the real URL bar.

paulryanrogers1y ago

How could this be stopped? Blocking images or rendering that mimics a real URL bar would be challenging.

Perhaps the PWA forces an overlay of the real apex domain at the top or in a top corner?

amadeuspagel1y ago

When installing a PWA, check whether URL and title match and warn the the user otherwise.

For most PWAs, the title is simply the apex domain without the TLD with some kind of capitalization. There are a few slightly more complex cases, such as Google Maps (google.com/maps) and YouTube Music (music.youtube.com). Even in these cases, there is an obvious relationship between URL and title.

johnnypangs1y ago

I think that it’s pretty hard to stop with the current state of PWA installation.

You could try the manifest data, (the data for the PWA app) tied more to the html and dns. Making it harder to impersonate other sites.

You could also go a more extreme route and have something like PWA app signing like other kinds of apps.

meiraleal1y ago

That's indeed a tricky one. Even tho I work with PWAs I could see myself being misled by this with a github credential. Good remind to only connect third party services with access tokens.

jeroenhd1y ago

Many applications will obtain such a token through an OAuth flow of some kind.

Using a browser-integrated password manager or passkey will usually prevent this attack, though.

Nathanba1y ago

Nah, it won't because it happens all the time that my password manager doesn't recognize the current url because the auth signin flow had so many weird urls in it that I had to save the url manually and now it's not the right url so I copy out the password manually instead of autofilling it. This was actually the case for my Google account which I created through gmail but then my gmail password wasn't using the right url for all the other google services. Now that I think about it, this was also the case for my Microsoft account that I got a long time ago through hotmail.

I think that this is a fairly legitimate attack vector and it's sad because I really want to be able to hide the url bar in my PWAs through custom styling to make it look more like a real native app.

ensignavenger1y ago

Your right about simple password managers, but passkeys do prevent this flaw.

beardyw1y ago

Surely you could pull this trick just by using full screen mode couldn't you? And all that requires is any user interaction.

erikerikson1y ago

Does this fool tools like 1Password?

phartenfeller1y ago

No as the page's URL is still not the real login URL. The shown address bar is just a fake with styled website content if I understood it correctly. Really smart!

RcouF1uZ4gsC1y ago

I don’t things is much worse than OAuth itself. You just have to make a login with Google/Facebook/X button.

Also the thing about the URL won’t have much practical difference for the user. The reason is that a lot of the flows can redirect through different domains. For example, when I sign in with Google into a third party site, I often see a redirect through the YouTube domain.

So users are not expecting full fidelity to the domain.

kmf841y ago

Yes, but I found it a little earlier. ( 4 years ago) https://github.com/0x1235/PWA_Spoofing_PoC

toddmorey1y ago

What makes this PWA specific rather than just “installable software”?

arendtio1y ago

PWAs are generally considered safe to install because they are just a website (running in a sandbox) plus some fancy desktop integration. Normal software you install doesn't run in a sandbox and has much more capabilities.

However, as with every phishing attack, the user must ignore small (security related) hints.

toddmorey1y ago

Ah, I’m thinking Windows maybe requires less permission to install a PWA?

MisterDizzy1y ago

It's "installed" through the browser, and it runs in the browser. So a PWA is just a browser app that maybe runs in a window with no browser chrome so it feels more native.

difosfor1y ago

I think you could do the same in native apps? So yeah, not much you can do about uncareful users. I suppose you could use something like an App store to provide some checks and a little more security. But then you're likely to run into monopolies again..

kristiandupont1y ago

I guess the argument would be that a screened app store would block such a malicious app.

But since the trick requires the user to go to a malicious website to install this app, it seems to me that the user might similarly be tricked into entering credentials on that website.

ghayes1y ago

Ideally, the best defense here is a FIDO-compliant 2FA or Passkey that would properly not send a valid credential for a different domain.

ffpip1y ago

This looks a lot like a Oauth request, where you are redirected to sign-in. You check the URL and enter the creds, with the assumption that you are using "Sign in with Microsoft" to login to the site since this is how that login flow works

whartung1y ago

That’s the thing. For a desktop app, they can pop up a chromeless web view with the Oauth login page. You can’t vet the authenticity at all.

paulddraper1y ago

No, the malicious website would have a "Sign in with Facebook".

You would enter your credentials on something that (according to a url bar) is Facebook.com

dzhiurgis1y ago

This reminds me OAuth screens where you are not sure why your password manager doesn’t work…

j / k navigate · click thread line to collapse

39 comments

theteapot1y ago

What's the difference between this and just having a button on your website that redirects to a spoof microsoft login page?

codetrotter1y ago

Because this one makes it look like there’s a url bar with a Microsoft domain

ajross1y ago

felipc1y ago

Nope, it's much more insidious than that. The user is already on your website, which could be a legitimate website with a malicious owner.

If you look at the screenshot, it's a perfectly valid interpretation for a non tech-savvy user to interpret that as "realhealthysnacks is asking me to install a legitimate Microsoft application".

Now change the simplified example for a real one from a SaaS product login page with several "Login with ..." buttons, and one of them triggers this.

1 more reply

strictnein1y ago

> But it's clearly not a new threat with PWAs and IMHO this article is mostly just spun clickbait. This isn't remotely a novel vulnerability.

This isn't "clickbait". This author is a known security researcher. The word "new" or "novel" doesn't occur in the writeup. They are simply documenting how something works.

They've been writing about this type of thing for years now.

oneepic1y ago

1 more reply

ffpip1y ago

A PWA can have the familiar "Sign in with google" button now, which pops up a similar page as shown in the article, but with accounts.google.com in the fake URL bar.

josephcsible1y ago

Being a PWA lets you hide the real URL bar.

paulryanrogers1y ago

How could this be stopped? Blocking images or rendering that mimics a real URL bar would be challenging.

Perhaps the PWA forces an overlay of the real apex domain at the top or in a top corner?

amadeuspagel1y ago

When installing a PWA, check whether URL and title match and warn the the user otherwise.

johnnypangs1y ago

I think that it’s pretty hard to stop with the current state of PWA installation.

You could try the manifest data, (the data for the PWA app) tied more to the html and dns. Making it harder to impersonate other sites.

You could also go a more extreme route and have something like PWA app signing like other kinds of apps.

meiraleal1y ago

That's indeed a tricky one. Even tho I work with PWAs I could see myself being misled by this with a github credential. Good remind to only connect third party services with access tokens.

jeroenhd1y ago

Many applications will obtain such a token through an OAuth flow of some kind.

Using a browser-integrated password manager or passkey will usually prevent this attack, though.

Nathanba1y ago

I think that this is a fairly legitimate attack vector and it's sad because I really want to be able to hide the url bar in my PWAs through custom styling to make it look more like a real native app.

ensignavenger1y ago

Your right about simple password managers, but passkeys do prevent this flaw.

beardyw1y ago

Surely you could pull this trick just by using full screen mode couldn't you? And all that requires is any user interaction.

erikerikson1y ago

Does this fool tools like 1Password?

phartenfeller1y ago

No as the page's URL is still not the real login URL. The shown address bar is just a fake with styled website content if I understood it correctly. Really smart!

RcouF1uZ4gsC1y ago

I don’t things is much worse than OAuth itself. You just have to make a login with Google/Facebook/X button.

So users are not expecting full fidelity to the domain.

kmf841y ago

Yes, but I found it a little earlier. ( 4 years ago) https://github.com/0x1235/PWA_Spoofing_PoC

toddmorey1y ago

What makes this PWA specific rather than just “installable software”?

arendtio1y ago

However, as with every phishing attack, the user must ignore small (security related) hints.

toddmorey1y ago

Ah, I’m thinking Windows maybe requires less permission to install a PWA?

MisterDizzy1y ago

It's "installed" through the browser, and it runs in the browser. So a PWA is just a browser app that maybe runs in a window with no browser chrome so it feels more native.

difosfor1y ago

kristiandupont1y ago

I guess the argument would be that a screened app store would block such a malicious app.

But since the trick requires the user to go to a malicious website to install this app, it seems to me that the user might similarly be tricked into entering credentials on that website.

ghayes1y ago

Ideally, the best defense here is a FIDO-compliant 2FA or Passkey that would properly not send a valid credential for a different domain.

ffpip1y ago

whartung1y ago

That’s the thing. For a desktop app, they can pop up a chromeless web view with the Oauth login page. You can’t vet the authenticity at all.

paulddraper1y ago

No, the malicious website would have a "Sign in with Facebook".

You would enter your credentials on something that (according to a url bar) is Facebook.com

dzhiurgis1y ago

This reminds me OAuth screens where you are not sure why your password manager doesn’t work…

j / k navigate · click thread line to collapse