The listings featured on this site are from companies from which this site receives compensation and some are co-owned by our parent company. This influence: Rank and manner in which listings are presented.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

New Phishing Toolkit Can Steal Login Info Using PWAs

New Phishing Toolkit Can Steal Login Info Using PWAs
Author Image Husain Parvez
Husain Parvez Published on 16th June 2024 Cybersecurity Researcher

A new phishing toolkit created by security researcher mr.d0x enables cybercriminals to exploit Progressive Web Apps (PWAs) to steal login credentials, posing a significant threat to internet users. According to a report from BleepingComputer, the toolkit allows for the creation of PWAs that convincingly mimic corporate login forms, complete with fake address bars displaying authentic URLs.

PWAs, which are web-based applications built using HTML, CSS, and JavaScript, can be installed from websites like regular desktop applications and are integrated into the operating system, making them appear legitimate to users.

"PWAs integrate with the OS better (i.e., they have their own app icon, can push notifications), and therefore they can lead to higher engagement for websites," mr.d0x explained in his blog. The toolkit demonstrates how these web apps can be manipulated for phishing, making it easier for attackers to deceive users into entering their credentials. Once installed, the malicious PWA can prompt users to log in, stealing their credentials for services such as VPNs, Microsoft accounts, AWS, or online stores.

TechRadar adds that this method of phishing could be more convincing than traditional methods, as PWAs appear as legitimate applications in the user's operating system. Users unfamiliar with PWAs may be particularly vulnerable, as they might not realize that PWAs should not display a URL bar.

Despite measures by browsers like Chrome to periodically show the real domain in the title bar, users' habits of checking the URL might not be sufficient to protect them from this type of attack. The PWA phishing templates have been released on GitHub, allowing other researchers to test and modify them.

This release raises concerns about the ease with which these tools can be accessed and potentially misused by malicious actors. "The issue with PWAs is that manipulating the UI for phishing purposes is possible," mr.d0x noted, emphasizing the need for awareness and security measures.

This new phishing technique underscores the importance of updating security awareness programs to include information about PWA phishing. As Mr.d0x pointed out, many security training programs do not currently cover this threat, leaving users at risk.

Previous occurrences, such as a recently reported incident  exposing sensitive citizen data through the Indian government's cloud system, highlight the urgent need for stronger security measures and reveal the wider dangers of vulnerabilities in web-based applications.

About the Author

  • Author Image Husain Parvez
  • Husain Parvez Cybersecurity Researcher

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address