A PWA can have the familiar "Sign in with google" button now, which pops up a similar page as shown in the article, but with accounts.google.com in the fake URL bar.
That's indeed a tricky one. Even tho I work with PWAs I could see myself being misled by this with a github credential. Good remind to only connect third party services with access tokens.
No as the page's URL is still not the real login URL. The shown address bar is just a fake with styled website content if I understood it correctly. Really smart!
I don’t things is much worse than OAuth itself. You just have to make a login with Google/Facebook/X button.
Also the thing about the URL won’t have much practical difference for the user. The reason is that a lot of the flows can redirect through different domains. For example, when I sign in with Google into a third party site, I often see a redirect through the YouTube domain.
So users are not expecting full fidelity to the domain.
PWAs are generally considered safe to install because they are just a website (running in a sandbox) plus some fancy desktop integration. Normal software you install doesn't run in a sandbox and has much more capabilities.
However, as with every phishing attack, the user must ignore small (security related) hints.
I think you could do the same in native apps? So yeah, not much you can do about uncareful users. I suppose you could use something like an App store to provide some checks and a little more security. But then you're likely to run into monopolies again..
I guess the argument would be that a screened app store would block such a malicious app.
But since the trick requires the user to go to a malicious website to install this app, it seems to me that the user might similarly be tricked into entering credentials on that website.
theteapot|1 year ago
codetrotter|1 year ago
ffpip|1 year ago
josephcsible|1 year ago
meiraleal|1 year ago
jeroenhd|1 year ago
Using a browser-integrated password manager or passkey will usually prevent this attack, though.
beardyw|1 year ago
erikerikson|1 year ago
phartenfeller|1 year ago
RcouF1uZ4gsC|1 year ago
Also the thing about the URL won’t have much practical difference for the user. The reason is that a lot of the flows can redirect through different domains. For example, when I sign in with Google into a third party site, I often see a redirect through the YouTube domain.
So users are not expecting full fidelity to the domain.
kmf84|1 year ago
unknown|1 year ago
[deleted]
toddmorey|1 year ago
arendtio|1 year ago
However, as with every phishing attack, the user must ignore small (security related) hints.
toddmorey|1 year ago
difosfor|1 year ago
kristiandupont|1 year ago
But since the trick requires the user to go to a malicious website to install this app, it seems to me that the user might similarly be tricked into entering credentials on that website.
unknown|1 year ago
[deleted]
dzhiurgis|1 year ago
peheja53|1 year ago
[deleted]
peheja53|1 year ago
[deleted]