Researchers have found that Google Chrome’s Application Mode can be abused for phishing threats.
Used to offer ChromeOS users a clean, minimal interface for certain websites such as YouTube, when launched, Application Mode brings up a new browser window without the address bar, toolbars, or other familiar elements – even the taskbar displays the website favicon instead of the Chrome icon.
But this mode can be abused, cybersecurity researcher mr.d0x discovered. If an attacker manages to convince a user to run a Windows shortcut that runs a phishing URL with Chromium’s Application Mode feature, the user will only see what seems to be the login form for an app. In reality, though, it would be a phishing page that steals (opens in new tab) people’s login data.
Ever since Microsoft moved to kill malicious Office files, cybercriminals have been pivoting towards Windows shortcut files (.LNK).
Cybersecurity experts have since uncovered countless attack campaigns that successfully leveraged .LNK files to deliver all kinds of viruses and malware, from QBot, to BazarLoader, to anything in between.
Explaining this new potential method, mr.d0x says an attacker could use a shortcut file to launch a phishing “applet” on the victim’s endpoint:
- For Chrome:
“C:\Program Files\Google\Chrome\Application\chrome.exe” –app=https://example.com
- For Microsoft Edge
“c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe” –app=https://example.com
There are multiple ways to abuse this flaw, mr.d0x added, including having access to the target device, using a portable HTML file with the “-app” parameter embedded, or using the Browser-in-the-Browser technique to add a fake address bar. Finally, the attack can also be pulled off on macOS and Linux devices, he said.
Via: BleepingComputer (opens in new tab)