Phishing Exploit in Chrome Exposed

There are many telltale signs of a fake site, but it’s hard to keep up with all of them — which is why most users rely on their browser’s address bar to determine if a site is legitimate or not.

A developer has now demonstrated an exploit that can dupe people into believing they’re on a legitimate site by showing a fake version of Chrome for Android’s full address bar.

Chrome For Android Address Bar Phishing Trick Exposed

When scrolling down on any page in Chrome for Android, the topmost user interface, which includes the address bar and the tabs button, slide up from view so as not to obstruct the page. But as developer Jim Fisher wrote on his blog and first reported by 9to5Google, a website can easily replace this UI element via a handful of web design tricks.

Fisher found that the entire address bar can “jail” the scrolling of the page, which allows the user to scroll back up the page without the address bar UI appearing again. So, when the user scrolls back up, the page can display an image of a fake address bar at the top of the screen where the legitimate address bar UI would normally appear, complete with the “lock” icon that indicates whether a site is safe.

Perhaps the most concerning implication of this exploit is that a user can’t easily leave the page without access to Chrome for Android’s address bar. Yes, it should be easy as hitting the back button on their device, but plenty of websites have shown that this is easy to override. Google is currently developing a fix for this, though.

How To Check If You’ve Been Tricked

The best way to check whether Chrome for Android is showing a legitimate address bar is to lock the phone and unlock it again. It should force the app to show its real address bar supposing it’s been tampered with a fake one. It will show both the legitimate address bar and the exploited one. It’s not an ideal solution, but it’ll do for now.

Fortunately, this trick is focused on Chrome and is only a proof of concept for now, but when leveraged by ill agents and malicious sites, it could theoretically display fake address bars not just on Chrome but on a variety of other browsers, as well. A phishing campaign could generate not just a convincing page, but an address bar, too.


source:  Tech Times