Fisher mentioned that the only opportunity to identify the original URL is during page load after which the webpage becomes prone to attack.
Chrome for mobile has a security bug that allows hackers to mask a website link, making users believe that the page they are surfing is secure. The bug basically hides the URL bar and can potentially compromise the user’s data.
The bug was found by developer James Fisher who has documented the whole process of the phishing attack. He has stated that hackers can take advantage of the bug which hides the URL bar when a user scrolls down through a web page on Chrome. The extra space provided by hiding the URL bar can be used to show more malicious content.
Fisher further added that hackers could replace the original URL with a doctored one and fool users to visit the malicious website. He calls this bug as the Inception bar.
Fisher further added that the bug could even lock-in users on a webpage that makes them believe that they are scrolling a webpage through false page refreshes. This technique is called Scroll Jail. Fisher claimed that if a user gets fooled by the phishing attack, they may expose their credentials. To make the page look more realistic, hackers may even mask the URL and create an interactive URL bar.
Fisher mentioned that the only opportunity to identify the original URL is during page load after which the webpage becomes prone to attack.
“Is this a serious security flaw? Well, even I, as the creator of the inception bar, found myself accidentally using it! So I can imagine this technique fooling users who are less aware of it, and who are less technically literate. The only time the user has the opportunity to verify the correct URL is on page load, before scrolling the page. After that, there’s not much escape,” wrote Fisher.
Here is how you can avoid becoming a victim of the security bug.- Firstly, make sure the URL you are browsing is authentic before you scroll down.
- Hit the back button or reload the page if you think you have scrolled down before checking the URL.
- Make sure you keep a check that the Chrome app shows you the URL bar.
- Keep a track on the number of tabs opened by you.
