Hackers can use “application mode” in Chromium browsers for stealth phishing attacks


In what is a new phishing technique, it has been shown that the Application Mode feature of Chromium-based web browsers can be abused to create “realistic desktop phishing applications”.

Application mode is designed to deliver native-like experiences such that the website is launched in a separate browser window, while displaying the website’s favicon and hiding the address bar.

According to security researcher mr.d0x – who also designed the Browser-in-Browser (BitB) attack method earlier this year – a malicious actor can leverage this behavior to use HTML/CSS trickery and display a fake address bar on top of the window and trick users into giving their credentials on malicious login forms.

cyber security

“Although this technique is more for internal phishing, you can technically still use it in an external phishing scenario”, mr.d0x said. “You can provide these fake apps independently as files.”

This is achieved by setting up a phishing page with a fake address bar at the top, and setting the –app parameter point to the phishing site hosting the page.

Advanced phishing attacks

In addition to this, the attacker-controlled phishing site can use JavaScript to take more actions, such as closing the window immediately after the user enters the credentials or resizing and positioning it to get the desired effect.

It should be noted that the mechanism works on other operating systems, such as macOS and Linux, making it a potential cross-platform threat. However, the success of the attack relies on the attacker already having access to the target machine.

cyber security

That said, Google is phasing out support for Chrome Apps in favor of Progressive Web Apps (PWAs) and standard web technologies, and the feature is expected to be completely removed in Chrome 109 or later on Windows, macOS, and Linux.

In a statement shared with The Hacker News, the internet giant said “the –app feature was deprecated prior to the publication of this research, and we are taking its potential for abuse into account when considering its future.”

“Users should be aware that executing any file provided by an attacker is dangerous. Google Safe Browsing helps protect against dangerous files and websites. Users may wish to enable Enhanced Protection, which inspects the security of your downloads to better warn you when a file may be dangerous.”

Results come as new findings from Trustwave SpiderLabs To display that HTML smuggling attacks are common, with .HTML (11.39%) and .HTM (2.7%) files being the second most spammed attachment type after .JPG images (25.29%).


Comments are closed.