Thanks to a new phishing technique, malicious actors could siphon private details by merely impersonating legit login forms in Application Mode.
The Application Mode feature can be accessed in all Chromium-based browsers, which includes Google Chrome, Microsoft Edge, and Brave.
According to mr.d0x, a security researcher who has also unearthed the Browser-in-the-Browser (BitB) attack and Microsoft WebView2 phishing methods previously, desktop applications are normally harder to spoof, hence, victims don’t pay much attention to as compared to browser windows that are more widely exploited for phishing.
Chrome's application mode is created to provide native-like experiences in a manner that causes the website to be launched in a separate browser window, while also showing the website's favicon and concealing the address bar.
Additionally, the hacker-controlled malicious site can employ JavaScript to perform multiple operations, such as immediately closing the window when the victim inputs the credentials or resizing and positioning it to gain the desired result.
It's worth noting that the methodology works on other operating systems as well, including macOS and Linux, making it a possible cross-platform threat. However, the effectiveness of the assault depends on the hacker gaining control over the computer before following up with this phishing technique, be it via malware or through directing the victim to enable it and run a Windows shortcut with the malicious URL.
Meanwhile, Google is discontinuing support for Chrome apps in favor of Progressive Web Apps (PWAs) and web-standard technologies, and the feature is likely to be completely phased out in Chrome 109 or later on Windows, macOS, and Linux.
"The --app feature was deprecated before this research was published, and we are taking its potential for abuse into account as we consider its future. Users should be aware that running any file provided by an attacker is dangerous. Google's Safe Browsing helps protect against unsafe files and websites,” Google stated.
“While Safe Browsing is enabled by default in Chrome, users may want to enable Enhanced protection, which inspects the safety of your downloads to better warn you when a file may be dangerous. Enhanced protection can be found in Chrome Settings > Privacy and security > Security.We encourage the security research community to continue to report issues and vulnerabilities through our vulnerability rewards program: g.co/chrome/vrp."