Beware! Google Chrome address bar can reportedly be used to launch a phishing attack
In the fight against phishing attacks, there’s a new web-hosted hoax you have to look out for — fake address bars.
How does it work?
Typically when you use Chrome for mobile on Android, as you scroll down a webpage the URL bar vanishes. Attackers can use this vulnerability to display a fake URL address bar called an “inception bar” that won’t disappear until you visit another website.
The fake bar displays a real website’s address, fooling you into thinking that you’re on a different site than you actually are.
What’s even worse is that the attack can block you from seeing the real address bar once you scroll back up. This method could theoretically allow malicious sites to illegally capture your passwords and credit-card numbers.
Fisher showed this hack using hsbc.com, the website belonging to one of the world’s largest banks, and first reported by tech news site 9to5Google.com. If you visit Fisher’s website using the Chrome browser on an Android smartphone, you’ll notice the address bar suddenly reads hsbc.com once you start scrolling down.
Is your car hackable? Is your car hackable? Cybersecurity experts say it might be
How do I spot a fake web address bar?
You have to pay attention to the website’s starting address before you start scrolling. USA TODAY reached out to Google for more information on the Chrome security flaw.
If you lock your phone and unlock it while on the webpage, the real address bar will show back up on top of the fake one, exposing the scam.
While Fisher’s proof of concept method focuses just on Chrome for mobile, this type of attack could theoretically be leveraged by spoofers using other browsers as well to display more than fake address bars.