Today in Edworking News we want to talk about Progressive Web Apps (PWAs) Phishing
Introduction
Progressive Web Apps or PWAs are applications that are built using web technologies (i.e. HTML, CSS, JavaScript) that can be installed and behave similarly to native applications. PWAs integrate with the OS better (i.e. they have their own app icon, can push notifications) and therefore they can lead to higher engagement for websites. The issue with PWAs is that manipulating the UI for phishing purposes is possible as we’ll explore in this blog.
PWA Requirements
Before showing an attack scenario using a PWA, we’ll need to understand how to create one. Feel free to skip this section as I provide a working template on my GitHub for testing at the end of this post. At a basic level, a PWA requires the following files:
Attack Scenario
Now that we understand how a PWA file is created, we can start weaponizing it for phishing. We will perform the following attack scenario: Needless to say, this scenario can be tailored to any other company besides Microsoft.
Step 1 - Setting Up Landing Page
We start by creating our landing page with the “Install Microsoft Application” button.
Step 2 - Installing Application
Clicking the “Install Microsoft Application” button prompts the user to install our PWA application.
Step 3 - Redirection
After the application is successfully installed, redirect the user to the phishing page with a fake URL bar.
Phishing Demo
The demo below performs the previously mentioned steps but instead redirects users to a fake Microsoft phishing page that captures credentials. For higher quality use this.
Application Icon
Notice how the application’s icon is set to the Microsoft Logo, making it more realistic.
GitHub PoC
I’ve included the demonstration PoC on my GitHub.
Conclusion
As we saw, PWAs open up the path for UI manipulation that can trick users into believing they’re on a different website. This technique clearly has some disadvantages such as the requirement of the target user to install the application. Additionally, the PWA window briefly displays the actual domain name in the top right corner. However, I believe people's habits of checking the URL bar will lead them to disregard that domain name (security awareness is required for this). It may also be worth mentioning that prior to posting this blog I did find someone raising a security concern regarding the abuse of PWA for phishing back in 2018.
Remember these 3 key ideas for your startup:
- Enhance Security Awareness: Emphasize to your team the importance of checking URL bars and icons to distinguish between real and fake applications. Regular phishing simulations can help raise awareness and improve vigilance. Here's a quick and comprehensive guide to agile transformation for better team adaptation to new security measures.
- Implement Rigorous Security Protocols: Ensuring that your PWA is secured and educating your users about potential phishing threats can safeguard your startup from potential attacks. Learn more about building an effective in-house creative team structure to ensure robust security measures are in place.
- Optimize User Engagement Responsibly: While PWAs can significantly boost user engagement, always prioritize the trust and security of your users by implementing transparent and secure design.
For a guide on integrating diverse productivity tools effectively, consider this comparison of Microsoft Teams vs Slack vs Edworking.
Edworking is the best and smartest decision for SMEs and startups to be more productive. Edworking is a free productivity software that includes all you need for work powered by AI in the same superapp, connecting Task Management, Docs, Chat, Videocall, and File Management. Save money today by not paying for Slack, Trello, Dropbox, Zoom, and Notion.
For more details, see the original source.
