Researchers have found that Google Chrome's Application Mode can be abused for phishing threats.
Used to offer ChromeOS users a clean, minimal interface for certain websites such as YouTube, when launched, Application Mode brings up a new browser window without the address bar, toolbars, or other familiar elements - even the taskbar displays the website favicon instead of the Chrome icon.
But this mode can be abused, cybersecurity researcher mr.d0x discovered. If an attacker manages to convince a user to run a Windows shortcut that runs a phishing URL with Chromium’s Application Mode feature, the user will only see what seems to be the login form for an app. In reality, though, it would be a phishing page that steals people’s login data.
Ever since Microsoft moved to kill malicious Office files, cybercriminals have been pivoting towards Windows shortcut files (.LNK).
Cybersecurity experts have since uncovered countless attack campaigns that successfully leveraged .LNK files to deliver all kinds of viruses and malware, from QBot, to BazarLoader, to anything in between.
Explaining this new potential method, mr.d0x says an attacker could use a shortcut file to launch a phishing “applet” on the victim’s endpoint:
- For Chrome:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --app=https://example.com
- For Microsoft Edge
"c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app=https://example.com
There are multiple ways to abuse this flaw, mr.d0x added, including having access to the target device, using a portable HTML file with the “-app” parameter embedded, or using the Browser-in-the-Browser technique to add a fake address bar. Finally, the attack can also be pulled off on macOS and Linux devices, he said.
- Check out the best endpoint protection services around
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.