On Saturday, April 27, 2019, Web Developer, James Fisher demonstrated a new Google Chrome loophole in a blog post. Using a few design tricks, you can fool users into thinking that, they are on a different site, leading to possible phishing scams.
“In Chrome for mobile, when the user scrolls down, the browser hides the URL bar and hands the URL bar’s screen space to the web page and because, the user associates this screen space with ‘trustworthy browser UI’, a phishing site, can then, use it to pose as a different site, by displaying its own fake URL bar – the inception bar”, stressed James Fisher.
To further drive and proof his point, James screenshot Chrome’s URL bar on the HSBN website, then, inserted that into this web page.
With a little more effort, the page could detect which browser it is in and forge an inception bar, for that browser.
With yet more effort, the inception bar could be made interactive. If the user is not, even, fooled by the current page, you can have another try, after the user enters gmail.com, in the inception bar.
It can be very easy for someone, who is not aware of this threat, or, technically literate, to be fooled by this because it looks so easy and straightforward.
The only time the user has the opportunity to verify the true URL, is on page load, before scrolling the page. After that, there is no sure way to verify.
This is a threat that could be very costly and disastrous, if not properly checked and countered.
How you protect yourself against this threat, is up to you.
“I see it, as a security flaw in Chrome, but what is the fix? There is a trade-off, between maximizing screen space on one hand and retaining trusted screen space on the other.
One compromise would be for Chrome, to retain a small amount of screen space, above the “line of death”, instead of giving up literally, all the screen space to the web page.
Chrome could use this space to signal that, “the URL bar is currently collapsed”, e.g., by displaying the shadow of an almost-hidden URL bar”, stressed James Fisher.
You can read a previous post on secured browsing tips for Chrome users.