{"id":51496,"date":"2024-06-19T10:29:24","date_gmt":"2024-06-19T14:29:24","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=51496"},"modified":"2024-06-24T07:04:31","modified_gmt":"2024-06-24T11:04:31","slug":"phishing-with-progressive-web-apps","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/phishing-with-progressive-web-apps\/51496\/","title":{"rendered":"Progressive phishing: How PWAs can be used to steal passwords"},"content":{"rendered":"

A security researcher known as mr.d0x<\/em> has published a post<\/a> detailing a new technique that can be used for phishing and potentially other malicious activities. The technique exploits so-called progressive web apps (PWAs). In this post, we discuss what these applications are, why they can be dangerous, how attackers can use them for their own purposes, and how to protect yourself<\/a> against this threat.<\/p>\n

What are progressive web apps?<\/h2>\n

PWAs are applications developed using web technologies. Essentially, they\u2019re websites that look and function just like native applications installed on your operating system.<\/p>\n

The general idea is similar to applications built on the Electron framework<\/a>, with one key difference. Electron apps are like a \u201csandwich\u201d of a website (the filling) and a browser (the bread) dedicated to running that site; that is, each Electron application has a built-in browser. In contrast, PWAs utilize the engine of the browser already installed on the user\u2019s system to display the same website \u2013 like a sandwich without the bread.<\/p>\n

All modern browsers support PWAs, with Google Chrome and Chromium-based browsers (including the Microsoft Edge browser that comes with Windows) offering the most comprehensive implementation.<\/p>\n

Installing a PWA (if the respective website supports it) is very simple. Just click an inconspicuous button in the browser\u2019s address bar and confirm the installation. Here\u2019s how it\u2019s done, using the Google Drive PWA as an example:<\/p>\n

\"How<\/a>

Installing PWAs only takes two clicks<\/p><\/div>\n

After that, the PWA appears on your system almost instantly, looking just like a real application \u2014 with an icon, its own window, and all the other attributes of a fully-fledged program. It\u2019s not easy to tell from the PWA window that it\u2019s actually a browser displaying a website.<\/p>\n

\"What<\/a>

The Google Drive PWA looks just like a real native application<\/p><\/div>\n

PWA-based phishing<\/h2>\n

One crucial difference between a PWA and the same website opened in a browser is evident in the screenshot above: the PWA window lacks an address bar. This very feature forms the foundation of the phishing method discussed in this post.<\/p>\n

With no address bar in the window, attackers can simply draw their own \u2014 displaying an URL that serves their phishing goals. For example, this one:<\/p>\n

\"PWA<\/a>

With a PWA, you can convincingly mimic any site \u2014 for example, the Microsoft account login page. Source<\/a><\/p><\/div>\n

Attackers can further enhance the deception by giving the PWA a familiar icon.<\/p>\n

The only remaining hurdle is convincing the victim to install the PWA. However, this can be easily achieved with persuasive language and cleverly designed interface elements.<\/p>\n

It\u2019s important to note that during the PWA installation dialog, the displayed app name can be anything the attacker desires. The true origin is only revealed by the website address in the second line, which is less noticeable:<\/p>\n

\"Malicious<\/a>

The malicious PWA installation dialog displays a name that aids the attacker\u2019s goals. Source<\/a><\/p><\/div>\n

The process of stealing a password using a PWA generally unfolds as follows:<\/p>\n