‘Inception bar’ phishing attack replaces Chrome’s address bar with a fake

Chrome hides the address bar when you scroll, allowing the attack to replace it with a fake

Google Chrome

Malicious actors continuously search for new methods of phishing and scamming people, and developers hunt for ways to combat these attacks. A recently discovered flaw with how Chrome works on mobile could open the gates for plenty of phishing attempts.

Developer James Fisher discovered a potential attack coined the “inception bar” that replaces Chrome’s address bar with a fake one.

The attack relies on Chrome’s basic functionality on mobile devices. When browsing on your phone, scrolling down hides the address bar, and scrolling up brings it back. This normal — and often helpful on devices with small screens — feature forms the foundation of the potential attack.

Chrome inception bar proof-of-concept

According to Fisher, malicious actors can manipulate this behaviour to swap the real Chrome address bar with a fake one.

Essentially, when a user scrolls up on a page, an attack can implement a “scroll jail,” as Fisher calls it, that locks users into an ‘overflow container’ with a fake page refresh, so it appears they’re scrolling up, even though they aren’t. Then, the attacker can place a fake address bar at the top of the page to confuse users.

Fake address bars make it easy for attackers to trick users

Fisher built a proof-of-concept on his website that replaces the address bar with one showing the URL for HSBC, the world’s seventh largest bank. Fisher’s concept uses a static image, so users can’t interact with the URL or elements of the address bar, but a malicious attacker could create an interactive one to make things more convincing.

It’s also worth noting that Fisher’s concept isn’t perfect. Sometimes the behaviour bugs out and displays both the fake and real address bar.

Regardless, the potential for phishing scams and other attacks is quite high. Plenty of scams already try to use similar URLs to try and trick users into thinking they’re on a website they’re not on (such as paypai.com instead of paypal.com). Coupled with the ability to show fake URLs in the inception bar, these sites could go much further in fooling users.

Worse, Fisher suggests this is a Chrome security flaw with no easy fix. Google would have to significantly change how the browser hides the address bar on mobile devices to combat the issue.

Thankfully, an attack using the inception hasn’t appeared in the wild yet, but that doesn’t mean it won’t. For now, you’ll have to stay vigilant and hope Google develops a fix soon.

Source: James Fisher Via: Android Police