top | item 40675052

(no title)

felipc | 1 year ago

Yeah it still needs a malicious person to run the attack of course, but it's a different attack vector. Phishing consists of making the user believe they are in a different website than they are at.

Most of the time, that requires a convincingly-looking URL to redirect from website A to the phishing page. (e.g. micr0softlogin.com)

This attack doesn't require that, it all stays in the website A which they user may find legitimate. (or it could be a legitimate one that has been compromised)

Another aspect of this is that PWAs have a helpful anti-phishing feature which actually displays a URL bar when you navigate to a different domain. Which is entirely twisted by this because by staying in website A that's exactly when the URL bar will be hidden, letting the attacker to place a fake one there.

But agreed that there are only imperfect solutions to this sort of thing.

discuss

No comments yet.