A security researcher has found an exploit in the Google Chrome browser for mobile that can be used for phishing attacks.
Software developer James Fisher was able to execute some clever coding to take advantage of a simple exploit in Chrome for mobile. The exploit tricks users into thinking that they are on a legitimate banking website (hsbc.com) when in actual fact the website is hosted by jamesfisher.com.
Google Chrome remains one of the most popular browsers in the market. In 2018, Google began blocking ads on Google Chrome that were deemed annoying or detrimental to users.
Google Chrome exploit
But, according to Fisher, the mobile version has a flaw. The exploit, dubbed “inception bar attack”, can hide the real address bar when users scroll to the top of the page.
This is a useful feature when scrolling on a small screen, as users can view more content in the limited space provided.
However, the exploit takes advantage of that specific feature.
“In Chrome for mobile, when the user scrolls down, the browser hides the URL bar, and hands the URL bar’s screen space to the web page,” said Fisher in his blog. “Because the user associates this screen space with ‘trustworthy browser UI’, a phishing site can then use it to pose as a different site, by displaying its own fake URL bar – the inception bar!”
“This is bad, but it gets worse,” he added. “Normally, when the user scrolls up, Chrome will re-display the true URL bar. But we can trick Chrome so that it never re-displays the true URL bar! Once Chrome hides the URL bar, we move the entire page content into a ‘scroll jail’ – that is, a new element with overflow: scroll. Then the user thinks they’re scrolling up in the page, but in fact, they’re only scrolling up in the scroll jail! Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser.”
Fisher also uploaded a video of the hack in action.
However, there is a way to check if you are on the correct website.
According to a 9t05Google report, the best method to check whether your address has been meddled with is to lock the phone, then unlock it again.
“This should force Chrome for Android to show its real address bar and leave the fake, exploited one on display too, seen below.”