- From: PWAuser <notifications@github.com>
- Date: Mon, 03 Dec 2018 09:43:31 -0800
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/manifest/issues/747@github.com>
Dear Web Platform Working Group, We’re a security research group at Indiana University Bloomington. Recently we studied the latest published version of Web App Manifest (Living Document) [3] (called the Doc in this report ) and found that Section 4 Navigation scope lacks sufficient security consideration. A user agent (or implementor) following the recommendation in section 4 Navigation scope when handling off-scope navigation, may put Web App (e.g., Progressive Web App [4], aka. PWA) users at high risks of phishing attacks. **The problem** According to the “SHOULD” level [5] recommendation for off-scope navigation in Section 4 [1] of the Doc, if a Web App navigates to an off-scope URL, “the user agent SHOULD show a prominent UI element indicating the document URL, or at least its origin, including whether it is served over a secure connection. This UI SHOULD differ from any UI used when the document URL is within scope, in order to make it obvious that the user is navigating off scope”. In our research, we believe that this recommendation is insufficient in its security considerations. In particular, when a malicious Web App is in “fullscreen” or “standalone” display mode [2], the recommended prominent UI in the context of off-scope navigation can be counterfeited by the Web App. More specifically, the malicious Web App may show a counterfeit UI indicating that the active URL/webpage is off-scope (e.g., at google.com or facebook.com to perform third-party authentication), while indeed it is still within the scope and counterfeiting the off-scope URL/webpage. We also find that the recommended “prominent UI” implemented by popular mobile browsers is usually simple (see [Figure 1](https://drive.google.com/file/d/1ZsVE_KDzesj-pAYbWX9WjgCdJuTI7n2k/view?usp=sharing)) and trivial to counterfeit by a typical Web App. **A more concrete attack scenario** A possible attack leveraging the problem above could take the following steps: 1. A victim user launches a malicious PWA[4] of domain attack.com and is to navigate off to Google/Facebook/Amazon for some reasonable business (e.g., single sign-on, shopping). 2. However, the malicious PWA indeed navigates the user to a phishing and within-scope webpage pretending to be Google/Facebook/Amazon. 3. Upon navigation, the PWA could show a fake “prominent UI”, on behalf of the user agent, misleadingly informing the victim user that he/she is navigated to Google/Facebook/Amazon. It’s natural for the victim user to believe this “prominent UI” is generated by the user agent. Consequently, the victim user incorrectly thinks he/she is navigated to Google/Facebook/Amazon, and leaks sensitive information (e.g., login credentials, personal or private information) to the malicious PWA. We attached a demo for this attack, check out [here](https://drive.google.com/open?id=1at3fGtkKSVvNJQFjAjIhBIqqqEEiGEj3) **The root cause** As a security protection, when a Web App is navigated off-scope, users rely on the user agent’ prominent UI to know which origin he/she is visiting. But the problem is, a Web App in “fullscreen” or “standalone” display mode can control the UI of the full display area and make a misleading counterfeit “prominent UI”, which is hard to differentiate from a genuine one created by the user agent. The Web App, though in “fullscreen” or “standalone”, still runs inside the user agent. The malicious Web App misplaces victim users’ trust in the counterfeit “prominent UI”, while the victim users assume the counterfeit UI is created by the trusted user agent. **Recommendation of revision of the Doc** The recommended “prominent UI” should be hard to counterfeit. While a static UI is relatively easy to counterfeit by a “fullscreen” or “standalone” Web App, a potentially robust and secure way to show the “prominent UI” is through an animated transition into the native user agent app, which itself shows the “prominent UI”. As an example on Android, instead of showing the “prominent UI” directly in the activity of the Web App, it could be secure to switch to the mobile browser which then shows the “prominent UI”. Showing the “prominent UI” directly inside the Web App is subject to our reported phishing attacks. Reference: [1] Out of scope navigation security consideration, https://www.w3.org/TR/appmanifest/#navigation-scope-security-considerations [2] Display modes, https://www.w3.org/TR/appmanifest/#display-modes [3] Web App Manifest Living Document (W3C Working Draft 13 November 2018), https://www.w3.org/TR/appmanifest/ [4] Progressive Web App, https://developers.google.com/web/progressive-web-apps/ [5] Key words for use in RFCs to Indicate Requirement Levels, https://tools.ietf.org/html/rfc2119 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/747
Received on Monday, 3 December 2018 17:43:56 UTC