Chrome Mobile Susceptible to Phishing Attacks

Posted on April 29, 2019 by Paul Thurrott in Android, Chrome OS, Cloud, Google, Google Chrome, iOS, Mobile with 5 Comments

A software developer has identified a simple exploit in the mobile version of Google Chrome that can be used for phishing attacks. He calls it “the inception bar.”

“In Chrome for mobile, when the user scrolls down, the browser hides the URL bar and hands the URL bar’s screen space to the web page,” developer James Fisher explains. “Because the user associates this screen space with ‘trustworthy browser UI,’ a phishing site can then use it to pose as a different site, by displaying its own fake URL bar – the inception bar!”

As Mr. Fisher explains it, that behavior is bad enough. But thanks to the programmable nature of Chrome mobile, hackers could also trick the browser into never re-displaying the real address bar, which typically happens if the user scrolls back up the page or scrolls to the top of the page.

That behavior explains Fisher’s name for the hack: In the movie Inception, characters could be robbed while dreaming. “Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser,” he explains. “The user thinks they’re scrolling up in the page, but in fact, they’re only scrolling up in the scroll jail [in which the real address bar is never displayed].”

In case it’s not obvious, a fake address bar could be styled to look like a secure website for a bank or other service, and fool users to enter private data like user names and passwords. Fisher says he’s not sure how a user could protect themselves from this flaw, and he views it, correctly, as a security flaw in Chrome mobile.

Google has not yet publicly commented on this issue. And, yes, I assume the new Chromium-based Edge is susceptible to this type of attack as well.

Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (5)

5 responses to “Chrome Mobile Susceptible to Phishing Attacks”

  1. wright_is

    Chromium Edge won't be susceptible.

    Edge on Android or iOS, along with Firefox on mobile and most other mobile browsers, would be susceptible. That said, they would probably have the advantage that the phishing site would be programmed to look like Chrome for Android and looks different enough that a savvy user would notice that the inception bar doesn't look like their browser's normal title bar.

  2. chrisrut

    This is reminiscent of tactics used by the USAF's "penetration squads" back in the 60s and 70s, which hacked commercial systems in order to learn how to make them secure. "Fake log in screens" were used to great effect: so said my boss at Gemini Computers, who ran said programs, which resulted in the "Orange Book", and the NCSC.

    Human Factors views the user as the most important component in any system. Security views that same user as the weakest link.

  3. IanYates82

    I like how he even has 26 tabs open in the demo.

    It's a good fake.

    Except that 26 tabs was far too low ?. So many things pop open a browser tab that I interact with and then never return to

  4. clhodappp

    I've been wondering if something like this were possible ever since I discovered that pages could be made to force you to scroll back to the top to see the url bar. Chrome needs to either not let pages do this or at least make some kind of reliable gesture to bring the top controls back.

Leave a Reply