Watch out - downloading that web app could infect your whole device with malware
PWAs can easily be abused to steal sensitive data, expert warns
Progressive Web Apps (PWA), a type of application delivered via a web browser, can be hijacked to be used for phishing, creating authentic-looking, convincing data-harvesting platforms, experts have warned.
Researcher mr.d0x, a notable figure in the cybersecurity community, particularly known for creating and sharing tools and techniques that are useful for penetration testing, red teaming, and security research, has described creating a new phishing toolkit that allows people to create PWAs which can display corporate login forms and even come with a fake address bar, showing the authentic URL, and thus looking more trustworthy.
"PWAs integrate with the OS better (i.e. they have their own app icon, can push notifications) and therefore they can lead to higher engagement for websites," mr.d0x explained. "The issue with PWAs is that manipulating the UI for phishing purposes is possible,” he added.
Phishing templates released
PWAs are not very different from regular applications. They still need to be downloaded and installed, will be shown on the list of installed programs and apps, and will show a shortcut where designated by the user. The only difference is, once the user runs the app, it will open in the browser. That being said, the process of getting people to install a malicious PWA will not be very different from the process of getting them to install malware.
However, it could be more convincing than regular programs, and as such could perform better when it comes to data harvesting and credential theft.
Mr.d0x released PWA phishing templates on GitHub, so that other researchers can play with the tools, as well.
"Users that don't use PWAs often may be more susceptible to this technique as they might be unaware that PWAs should not have a URL bar. Even though Chrome appears to have taken measures against this by periodically showing the real domain in the title bar, I think people's habits of "checking the URL'' will render that measure less useful,” the researcher told BleepingComputer.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Finally, he warned that most security awareness programs are yet to include PWA phishing.
Via BleepingComputer
More from TechRadar Pro
- Thousands of FortiGate VPN systems hit by Chinese hackers
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.