New Phishing Toolkit Can Steal Login Info Using PWAs

A new phishing toolkit created by security researcher mr.d0x enables cybercriminals to exploit Progressive Web Apps (PWAs) to steal login credentials, posing a significant threat to internet users. According to a report from BleepingComputer, the toolkit allows for the creation of PWAs that convincingly mimic corporate login forms, complete with fake address bars displaying authentic URLs.

PWAs, which are web-based applications built using HTML, CSS, and JavaScript, can be installed from websites like regular desktop applications and are integrated into the operating system, making them appear legitimate to users.

"PWAs integrate with the OS better (i.e., they have their own app icon, can push notifications), and therefore they can lead to higher engagement for websites," mr.d0x explained in his blog. The toolkit demonstrates how these web apps can be manipulated for phishing, making it easier for attackers to deceive users into entering their credentials. Once installed, the malicious PWA can prompt users to log in, stealing their credentials for services such as VPNs, Microsoft accounts, AWS, or online stores.

TechRadar adds that this method of phishing could be more convincing than traditional methods, as PWAs appear as legitimate applications in the user's operating system. Users unfamiliar with PWAs may be particularly vulnerable, as they might not realize that PWAs should not display a URL bar.

Despite measures by browsers like Chrome to periodically show the real domain in the title bar, users' habits of checking the URL might not be sufficient to protect them from this type of attack. The PWA phishing templates have been released on GitHub, allowing other researchers to test and modify them.

This release raises concerns about the ease with which these tools can be accessed and potentially misused by malicious actors. "The issue with PWAs is that manipulating the UI for phishing purposes is possible," mr.d0x noted, emphasizing the need for awareness and security measures.

This new phishing technique underscores the importance of updating security awareness programs to include information about PWA phishing. As Mr.d0x pointed out, many security training programs do not currently cover this threat, leaving users at risk.

Previous occurrences, such as a recently reported incident  exposing sensitive citizen data through the Indian government's cloud system, highlight the urgent need for stronger security measures and reveal the wider dangers of vulnerabilities in web-based applications.