After browser-in-browser attacks, mr.d0x introduces app mode exploit in Chromium
It allows you to create phishing login windows that are almost indistinguishable from the original ones. The attack uses a shortcut that abuses the —app command line option to lead to a phishing site. The attacker has basic HTML / CSS skills to clone the page, the user who clicks on the shortcut, and you’re done — in front of him is a fake login window, kindly provided by Chromium.
For phishing, HTML files and shortcuts under the ubiquitous Microsoft Edge will do. With the appropriate commands and browsers, the exploit works under Mac and Linux. And although the method is demanding on an inattentive user, the attack has good potential.