[ajross]

No it doesn't. You need to fool the user into installing an app that loads from your own domain. Now that obviously isn't impossible, but it requires getting the user to ignore or be mislead by the clearly-displayed URL in the web page and/or installer UI.

As the commenter upthread conjectured, this is indeed perfectly isomorphic to fooling a user into loading and interacting with a faked web page. That's a real threat! But it's clearly not a new threat with PWAs and IMHO this article is mostly just spun clickbait. This isn't remotely a novel vulnerability.

[felipc]

Nope, it's much more insidious than that. The user is already on your website, which could be a legitimate website with a malicious owner.

If you look at the screenshot, it's a perfectly valid interpretation for a non tech-savvy user to interpret that as "realhealthysnacks is asking me to install a legitimate Microsoft application".

Now change the simplified example for a real one from a SaaS product login page with several "Login with ..." buttons, and one of them triggers this.

[ajross]

> legitimate website with a malicious owner.

What... does that mean? A website with a malicious owner is illegitimate by definition. :)

But more to the point, this logic is circular. You're saying PWAs are subject to attack by malicious actors because their users can be attacked by websites controlled by malicious owners. Which is... true. But specious, and true of regular web pages and apps and every other kind of software.

I'm not seeing where you're getting anything novel here at all. If you let people run software written by other people you need some kind of protection against people being fooled by bad software. That is obviously a very hard problem with only imperfect solutions. But those solutions do exist, and that protection exists here in PWAs and needs to be evaded, in a form that is entirely analogous to the way you have to validate a web page you're looking at.

[Thorrez]

>legitimate website with a malicious owner.

The situation is this: You go to some web store. You click "Sign In With Microsoft" (or Google, or Facebook, etc.). You expect the site to be able to know your Microsoft/Google/Facebook email address. You don't expect the site to be able to take over your entire Microsoft/Google/Facebook account.

So it's a site you trust enough to use, but you don't trust it enough to give it control over your other accounts. This phishing attack gives it control over your other accounts.

[doakes]

I don't understand the answers to your "what is a legitimate website with a malicious owner" question, but I kinda see this as the same concern as downloading a phone app that requests an OAuth login via a native webview. You can't always see the true URL of that login page. But it comes back to what I think is your main point -- you've already downloaded something malicious from the get-go. But I guess there's some damage control if you can spot a fake login page and remove the install.

[felipc]

Yeah it still needs a malicious person to run the attack of course, but it's a different attack vector. Phishing consists of making the user believe they are in a different website than they are at.

Most of the time, that requires a convincingly-looking URL to redirect from website A to the phishing page. (e.g. micr0softlogin.com)

This attack doesn't require that, it all stays in the website A which they user may find legitimate. (or it could be a legitimate one that has been compromised)

Another aspect of this is that PWAs have a helpful anti-phishing feature which actually displays a URL bar when you navigate to a different domain. Which is entirely twisted by this because by staying in website A that's exactly when the URL bar will be hidden, letting the attacker to place a fake one there.

But agreed that there are only imperfect solutions to this sort of thing.

[giaour]

> That is obviously a very hard problem with only imperfect solutions.

One of those imperfect solutions is training users to always check the URL bar. PWAs let the attacker inject a fake URL bar AND hide the real URL bar.

[Habgdnv]

> What... does that mean?

microsoft.com is legitimate website. The owner of microsoft.com however get your browsing history, reboot your PC during weekends when your rendering is almost complete, put random adware on your PC without asking you, injects adware into various websites, i'm too lazy to list all the rest but you get the picture. Legitimate website with a malicious owner.

[koolala]

i like your reasoning

[strictnein]

> But it's clearly not a new threat with PWAs and IMHO this article is mostly just spun clickbait. This isn't remotely a novel vulnerability.

This isn't "clickbait". This author is a known security researcher. The word "new" or "novel" doesn't occur in the writeup. They are simply documenting how something works.

They've been writing about this type of thing for years now.

[oneepic]

I'm not a security pro, but the claim about "spun clickbait" doesn't hold for me. I thought it was new to me, and an attack possibility that I hadn't considered before reading. I do think I "validate" sites pretty well before doing any serious things there (logins, transactions, etc).

[strictnein]

You're correct that it's not clickbait. This author is a known security researcher who specializes in this type of thing. It's just another type of attack that they've writing about.