Mobile Chrome Users Could Be Scammed

John Lister's picture

A tech expert has spotted a security risk in the mobile edition of Chrome. The way the exploit works means that scammers could make the browser appear to show a fake website address.

This type of exploit would be particularly useful in a phishing scam, where hackers could develop a bogus website (such as a major banking site) to trick people into handing over personal information or passwords to sensitive data.

James Fisher noted a potential problem with what's meant to be a useful measure in mobile Chrome. As the user scrolls down the page - which is much more likely to happen on a phone screen than on a computer - Chrome will hide the URL bar. (Source: jameshfisher.com)

That's the box at the top of the screen which displays the website address of the current page. The idea of hiding it is to free up valuable space to show more of the web page.

Fake URL Looks Convincing

Fisher realized it's possible to have the bogus page display a fake image of an URL bar that 'hovers' at the top of the page and appears to be static. The image can even include the green text and padlock symbol that Chrome uses to indicate a secure website.

The exploit works by placing malicous code inside a webpage. Once executed, it effectively displays a new browser interface inside of Chrome - an effect Fisher likens to the movie Inception. The result is that even if the user scrolls back to the top of the page, the real address bar won't show at all.

The only way the user would break the illusion would be if they tried to tap on the "address bar" to type in a new address.

Google Could Mitigate Risk

According to Fisher, there's no real way for users to guard against such scams, other than to check the address bar before they first scroll down on a page. It's also a reminder for users to always be wary about following suspicious links or those from unknown sources, and to consider directly typing in the address of sensitive websites.

Fisher says it's more of a design choice with unintended consequences by Google, rather than an actual bug. However, he does suggest Google could compromise the exploit by reserving the very top couple of lines of the screen to show a "collapsed" box for the real URL bar, rather than have the entire screen available to the web page.

What's Your Opinion?

Are you surprised nobody has spotted this risk before? Does it sound like something scammers might seriously try to exploit? Should Google follow Fisher's suggested "fix"?

Rate this article: 
Average: 5 (6 votes)

Comments

matt_2058's picture

Sounds like the suggested fix would be simple enough to implement. But then again, I don't write code.

jlmiles8's picture

Google should fix it, period. It's a security risk that Google created however unintentionally and they need to address it. No question.