1 / 4

Beware! Google Chrome address bar can reportedly be used to launch a phishing attack

A researcher has found an exploit in the Google Chrome browser for mobile that could be used to launch phishing attacks.
Google's Chrome browser.

In the fight against phishing attacks, there’s a new web-hosted hoax you have to look out for — fake address bars.

Discovered by developer James Fisher, a potential flaw with Google Chrome could mean Android users unknowingly land on a fake site that exploits Chrome’s disappearing address bar.

How does it work?

Typically when you use Chrome for mobile on Android, as you scroll down a webpage the URL bar vanishes. Attackers can use this vulnerability to display a fake URL address bar called an “inception bar” that won’t disappear until you visit another website.

The fake bar displays a real website’s address, fooling you into thinking that you’re on a different site than you actually are.

What’s even worse is that the attack can block you from seeing the real address bar once you scroll back up. This method could theoretically allow malicious sites to illegally capture your passwords and credit-card numbers.

Fisher showed this hack using hsbc.com, the website belonging to one of the world’s largest banks, and first reported by tech news site 9to5Google.com. If you visit Fisher’s website using the Chrome browser on an Android smartphone, you’ll notice the address bar suddenly reads hsbc.com once you start scrolling down.

Is your car hackable? Is your car hackable? Cybersecurity experts say it might be

Digital eyes: Where are the cameras in your car and what are they looking for?

How do I spot a fake web address bar?

You have to pay attention to the website’s starting address before you start scrolling. USA TODAY reached out to Google for more information on the Chrome security flaw.

If you lock your phone and unlock it while on the webpage, the real address bar will show back up on top of the fake one, exposing the scam.

This is what the double address bars looks like on Chrome for Android.
This is what the double address bars looks like on Chrome for Android.

While Fisher’s proof of concept method focuses just on Chrome for mobile, this type of attack could theoretically be leveraged by spoofers using other browsers as well to display more than fake address bars.

Advertisements