Mobile Google Chrome vulnerable to inception bar attack

Posted on Monday, Apr 29 2019 @ 11:09 CEST by Thomas De Maesschalck
Google logo
Developer James Fisher discovered the mobile version of Google's Chrome browser can be abused to trick users into falling for phishing attacks. The default behaviour of the mobile Chrome browser is to hide the address bar when you scroll down, to give more screen space to the content of the website.

Fisher notes attackers could abuse this feature to perform an "inception bar" attack, which makes it possible to show a fake title bar that looks like the real thing:
In Chrome for mobile, when the user scrolls down, the browser hides the URL bar, and hands the URL bar’s screen space to the web page. Because the user associates this screen space with “trustworthy browser UI”, a phishing site can then use it to pose as a different site, by displaying its own fake URL bar - the inception bar!

This is bad, but it gets worse. Normally, when the user scrolls up, Chrome will re-display the true URL bar. But we can trick Chrome so that it never re-displays the true URL bar!

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments