Warning About Chrome Flaw In Address Bar

Tom Jowitt,

Researcher finds simple exploit in Chrome for mobile that could be used to launch phishing attacks

A security researcher has warned of a potential flaw with Chrome for mobile, that could mean users land on bogus websites without realising it.

According to developer James Fisher, he was able to do some clever coding to open up a simple exploit in Chrome for mobile, to make it appear that a user had landed on the banking website HSBC.com, when in actual fact the webpage was hosted on jameshfisher.com.

Chrome of course is Google’s main web browser, and is one of the most popular browsers on the market. Last year Chrome began blocking adverts that were deemed to be annoying or otherwise detrimental to users.

Address bar

But the mobile version has a flaw, according to Fisher. The so called “inception bar attack” exploits the fact that Chrome on mobile hides the address bar when scrolling.

This is a useful feature when scrolling on a smaller screen, as the user can see more more content in the limited space provided.

But this “inception bar attack” takes advantage of that feature.

“In Chrome for mobile, when the user scrolls down, the browser hides the URL bar, and hands the URL bar’s screen space to the web page,” wrote Fisher. “Because the user associates this screen space with ‘trustworthy browser UI’, a phishing site can then use it to pose as a different site, by displaying its own fake URL bar – the inception bar!”

“This is bad, but it gets worse,” he added. “Normally, when the user scrolls up, Chrome will re-display the true URL bar. But we can trick Chrome so that it never re-displays the true URL bar! Once Chrome hides the URL bar, we move the entire page content into a ‘scroll jail’ – that is, a new element with overflow:scroll. Then the user thinks they’re scrolling up in the page, but in fact they’re only scrolling up in the scroll jail! Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser.

Fisher posted a video of the hack in operation here.

There is though a way to double check that you are actually on the correct website.

The 9to5Google team noted that users can force the real address bar to show by locking and then unlocking their phone again.

“This should force Chrome for Android to show its real address bar and leave the fake, exploited one on display too,” they wrote.

Do you know all about security? Try our quiz!