URL Scheme Hijacking (T1415)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • URL Scheme Hijacking

Associated Tactics

  • Credential Access

Credential Access (TA0031)

The adversary is trying to steal account names, passwords, or other secrets that enable access to resources. Credential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.

View on ATT&CK

Procedure Examples

Description Source(s)
mitre-mobile-attack
NIST Mobile Threat Catalogue
Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016. FireEye-Masque2
Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple’s iOS. Retrieved December 21, 2016. Dhanjani-URLScheme
N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016. IETF-PKCE
Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016. MobileIron-XARA