As we saw, PWAs open up the path for UI manipulation that can trick users into believing they’re on a different website. This technique clearly has some disadvantages such as the requirement of the target user to install the application. Additionally, the PWA window briefly displays the actual domain name in the top right corner. However, I believe people’s habits of checking the URL bar will lead them to disregard that domain name (security awareness is required for this).
It may also be worth mentioning that prior to posting this blog I did find someone raising a security concern regarding the abuse of PWA for phishing back in 2018.
This is retarded. If the requirement is that the user was fooled into a bad website and is being asked to install something, they are already owned.
Absolutely no reason to trick them into installing a PWA of the same phishing site they were already fooled into using.
reply
It does make the threat more persistent than a one off visit to the site, that they may more easily notice the second time.
I wonder how many people install PWAs on desktop platforms. I only ever use them on mobile. I wonder if that would impact the feasibility of such attacks
reply
Pretty subtle attack on our habits. It's really clever.
It basically amounts to showing them what looks like a microsoft login page in what looks like a browser that has a fake url bar (which we've learned to rely on ... but we can only rely on it when it's shown in browsers we trust).
reply