Skip to main content

Chrome inception bar phishing method replaces real address bar with a fake one

Chrome is one of the most widely used browsers on mobile phones and is generally considered safe as it is developed and maintained by Google. However, developer Jim Fisher has found a new exploit, which showcases how an attacker could emulate the browser’s address bar to impersonate a legit website. While this might not sound scary, the way Fisher demonstrated its application in a proof of concept video might make some privacy-centric users double check the address bar before entering any personal information on a website. Using few web designing skills and tricks, the developer created a website that replaces Chrome’s address bar and its UI. 

Fisher calls the new phishing method ‘The inception bar'. One can visit the developer's website on mobile phones here to experience how someone could modify their site to lock a user in. He explains that when one scrolls down on a webpage in Chrome, the URL bar is hidden and reappears when one scrolls back up. However, a phishing site can display its own fake URL bar when the user scrolls down and trick Chrome into not displaying the original address bar when a user scrolls up. Unfortunately, this too can be prevented with some clever programming as Fisher added extra tall padding element on top of the site so that users are scrolled back down to where the content starts and it looks like a page refresh. 

‘In my proof-of-concept, I’ve just screenshotted Chrome’s URL bar on the HSBC website, then inserted that into this webpage. With a little more effort, the page could detect which browser it’s in, and forge an inception bar for that browser. With yet more effort, the inception bar could be made interactive. Even if the user isn’t fooled by the current page, you can get another try after the user enters “gmail.com” in the inception bar!,” state’s Fisher’s blog post.  You can watch his proof of concept video here. 

The developer thinks this method can be a serious security flaw since he created it and accidentally used it a few times. Users can only verify the legitimacy of an address bar when the page loads, as when they scroll down, the address bar is replaced. As 9to5Google notes, one can lock and unlock their phone to force Chrome for Android to display the real address bar and the fake one. 



from Latest Technology News http://bit.ly/2PBJW72
Labels:

Comments

Post a Comment

Popular posts from this blog

Apple Seeds iOS 18.5 Developer Beta 3 Update for iPhone; Public Beta 2 Also Released

Apple on Monday rolled out the iOS 18.5 Developer Beta 3 update to developers and beta testers. It arrives as a minor update for the iPhone with similar features in tow. Alongside, it bundles fixes for a bug that caused black screen to appear on the new Apple Vision Pro. Apple also seeded the iOS 18.5 Public Beta 2 update with a handful of changes compared to the publ... from Gadgets 360 https://ift.tt/ZGYOJvf
Post a Comment
Read more

What if a botched Google search card says you are a serial killer

Many of us have come to heavily rely on Google Search and often don’t question the veracity of information Google cherry-picks from the vast data available on the world wide web for its search cards. This incident, which is one part funny and two parts scary, makes it clear that Google’s Knowlege Graph may not be as sacrosanct as you may have believed.  Hristo Georgiev was informed by a former colleague that a Google search of his name returned a Google Knowlege Graph that depicted his photo and linked it to a Bulgarian rapist and serial killer of the same name, also known as ‘The Sadist’, who murdered five people back in the 1970s and was later executed by shooting.  The graph linked the info to a Wikipedia article, which incidentally had no link to any of Georgiev’s profile or his image. It was Google’s algorithms that erroneously matched the two. What’s even more problematic is that Hristo Georgiev is not a unique name and is shared by hundreds of other people.  As...
Post a Comment
Read more