Progressive Web Apps (PWAs) Phishing (opens in new tab)

(mrd0x.com)

132 pointskolp1y ago39 comments

39 comments

What's the difference between this and just having a button on your website that redirects to a spoof microsoft login page?

codetrotter1y ago

Because this one makes it look like there’s a url bar with a Microsoft domain

ajross1y ago

No it doesn't. You need to fool the user into installing an app that loads from your own domain. Now that obviously isn't impossible, but it requires getting the user to ignore or be mislead by the clearly-displayed URL in the web page and/or installer UI.

As the commenter upthread conjectured, this is indeed perfectly isomorphic to fooling a user into loading and interacting with a faked web page. That's a real threat! But it's clearly not a new threat with PWAs and IMHO this article is mostly just spun clickbait. This isn't remotely a novel vulnerability.

3 more replies

ffpip1y ago

A PWA can have the familiar "Sign in with google" button now, which pops up a similar page as shown in the article, but with accounts.google.com in the fake URL bar.

josephcsible1y ago

Being a PWA lets you hide the real URL bar.

paulryanrogers1y ago

How could this be stopped? Blocking images or rendering that mimics a real URL bar would be challenging.

Perhaps the PWA forces an overlay of the real apex domain at the top or in a top corner?

2 more replies

meiraleal1y ago

That's indeed a tricky one. Even tho I work with PWAs I could see myself being misled by this with a github credential. Good remind to only connect third party services with access tokens.

jeroenhd1y ago

Many applications will obtain such a token through an OAuth flow of some kind.

Using a browser-integrated password manager or passkey will usually prevent this attack, though.

Nathanba1y ago

Nah, it won't because it happens all the time that my password manager doesn't recognize the current url because the auth signin flow had so many weird urls in it that I had to save the url manually and now it's not the right url so I copy out the password manually instead of autofilling it. This was actually the case for my Google account which I created through gmail but then my gmail password wasn't using the right url for all the other google services. Now that I think about it, this was also the case for my Microsoft account that I got a long time ago through hotmail.

I think that this is a fairly legitimate attack vector and it's sad because I really want to be able to hide the url bar in my PWAs through custom styling to make it look more like a real native app.

1 more reply

beardyw1y ago

Surely you could pull this trick just by using full screen mode couldn't you? And all that requires is any user interaction.

erikerikson1y ago

Does this fool tools like 1Password?

phartenfeller1y ago

No as the page's URL is still not the real login URL. The shown address bar is just a fake with styled website content if I understood it correctly. Really smart!

RcouF1uZ4gsC1y ago

I don’t things is much worse than OAuth itself. You just have to make a login with Google/Facebook/X button.

Also the thing about the URL won’t have much practical difference for the user. The reason is that a lot of the flows can redirect through different domains. For example, when I sign in with Google into a third party site, I often see a redirect through the YouTube domain.

So users are not expecting full fidelity to the domain.

kmf841y ago

Yes, but I found it a little earlier. ( 4 years ago) https://github.com/0x1235/PWA_Spoofing_PoC

toddmorey1y ago

What makes this PWA specific rather than just “installable software”?

arendtio1y ago

PWAs are generally considered safe to install because they are just a website (running in a sandbox) plus some fancy desktop integration. Normal software you install doesn't run in a sandbox and has much more capabilities.

However, as with every phishing attack, the user must ignore small (security related) hints.

toddmorey1y ago

Ah, I’m thinking Windows maybe requires less permission to install a PWA?

MisterDizzy1y ago

It's "installed" through the browser, and it runs in the browser. So a PWA is just a browser app that maybe runs in a window with no browser chrome so it feels more native.

difosfor1y ago

I think you could do the same in native apps? So yeah, not much you can do about uncareful users. I suppose you could use something like an App store to provide some checks and a little more security. But then you're likely to run into monopolies again..

kristiandupont1y ago

I guess the argument would be that a screened app store would block such a malicious app.

But since the trick requires the user to go to a malicious website to install this app, it seems to me that the user might similarly be tricked into entering credentials on that website.

ghayes1y ago

Ideally, the best defense here is a FIDO-compliant 2FA or Passkey that would properly not send a valid credential for a different domain.

ffpip1y ago

This looks a lot like a Oauth request, where you are redirected to sign-in. You check the URL and enter the creds, with the assumption that you are using "Sign in with Microsoft" to login to the site since this is how that login flow works

1 more reply

paulddraper1y ago

No, the malicious website would have a "Sign in with Facebook".

You would enter your credentials on something that (according to a url bar) is Facebook.com

dzhiurgis1y ago

This reminds me OAuth screens where you are not sure why your password manager doesn’t work…

j / k navigate · click thread line to collapse

39 comments

theteapot1y ago

What's the difference between this and just having a button on your website that redirects to a spoof microsoft login page?

codetrotter1y ago

Because this one makes it look like there’s a url bar with a Microsoft domain

ajross1y ago

3 more replies

ffpip1y ago

A PWA can have the familiar "Sign in with google" button now, which pops up a similar page as shown in the article, but with accounts.google.com in the fake URL bar.

josephcsible1y ago

Being a PWA lets you hide the real URL bar.

paulryanrogers1y ago

How could this be stopped? Blocking images or rendering that mimics a real URL bar would be challenging.

Perhaps the PWA forces an overlay of the real apex domain at the top or in a top corner?

2 more replies

meiraleal1y ago

That's indeed a tricky one. Even tho I work with PWAs I could see myself being misled by this with a github credential. Good remind to only connect third party services with access tokens.

jeroenhd1y ago

Many applications will obtain such a token through an OAuth flow of some kind.

Using a browser-integrated password manager or passkey will usually prevent this attack, though.

Nathanba1y ago

I think that this is a fairly legitimate attack vector and it's sad because I really want to be able to hide the url bar in my PWAs through custom styling to make it look more like a real native app.

1 more reply

beardyw1y ago

Surely you could pull this trick just by using full screen mode couldn't you? And all that requires is any user interaction.

erikerikson1y ago

Does this fool tools like 1Password?

phartenfeller1y ago

No as the page's URL is still not the real login URL. The shown address bar is just a fake with styled website content if I understood it correctly. Really smart!

RcouF1uZ4gsC1y ago

I don’t things is much worse than OAuth itself. You just have to make a login with Google/Facebook/X button.

So users are not expecting full fidelity to the domain.

kmf841y ago

Yes, but I found it a little earlier. ( 4 years ago) https://github.com/0x1235/PWA_Spoofing_PoC

toddmorey1y ago

What makes this PWA specific rather than just “installable software”?

arendtio1y ago

However, as with every phishing attack, the user must ignore small (security related) hints.

toddmorey1y ago

Ah, I’m thinking Windows maybe requires less permission to install a PWA?

MisterDizzy1y ago

It's "installed" through the browser, and it runs in the browser. So a PWA is just a browser app that maybe runs in a window with no browser chrome so it feels more native.

difosfor1y ago

kristiandupont1y ago

I guess the argument would be that a screened app store would block such a malicious app.

But since the trick requires the user to go to a malicious website to install this app, it seems to me that the user might similarly be tricked into entering credentials on that website.

ghayes1y ago

Ideally, the best defense here is a FIDO-compliant 2FA or Passkey that would properly not send a valid credential for a different domain.

ffpip1y ago

1 more reply

paulddraper1y ago

No, the malicious website would have a "Sign in with Facebook".

You would enter your credentials on something that (according to a url bar) is Facebook.com

dzhiurgis1y ago

This reminds me OAuth screens where you are not sure why your password manager doesn’t work…

j / k navigate · click thread line to collapse