Mobile Chrome Users Could Be Scammed
A tech expert has spotted a security risk in the mobile edition of Chrome. The way the exploit works means that scammers could make the browser appear to show a fake website address.
This type of exploit would be particularly useful in a phishing scam, where hackers could develop a bogus website (such as a major banking site) to trick people into handing over personal information or passwords to sensitive data.
James Fisher noted a potential problem with what's meant to be a useful measure in mobile Chrome. As the user scrolls down the page - which is much more likely to happen on a phone screen than on a computer - Chrome will hide the URL bar. (Source: jameshfisher.com)
That's the box at the top of the screen which displays the website address of the current page. The idea of hiding it is to free up valuable space to show more of the web page.
Fake URL Looks Convincing
Fisher realized it's possible to have the bogus page display a fake image of an URL bar that 'hovers' at the top of the page and appears to be static. The image can even include the green text and padlock symbol that Chrome uses to indicate a secure website.
The exploit works by placing malicous code inside a webpage. Once executed, it effectively displays a new browser interface inside of Chrome - an effect Fisher likens to the movie Inception. The result is that even if the user scrolls back to the top of the page, the real address bar won't show at all.
The only way the user would break the illusion would be if they tried to tap on the "address bar" to type in a new address.
Google Could Mitigate Risk
According to Fisher, there's no real way for users to guard against such scams, other than to check the address bar before they first scroll down on a page. It's also a reminder for users to always be wary about following suspicious links or those from unknown sources, and to consider directly typing in the address of sensitive websites.
Fisher says it's more of a design choice with unintended consequences by Google, rather than an actual bug. However, he does suggest Google could compromise the exploit by reserving the very top couple of lines of the screen to show a "collapsed" box for the real URL bar, rather than have the entire screen available to the web page.
What's Your Opinion?
Are you surprised nobody has spotted this risk before? Does it sound like something scammers might seriously try to exploit? Should Google follow Fisher's suggested "fix"?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Sounds like the suggested fix
Sounds like the suggested fix would be simple enough to implement. But then again, I don't write code.
Fix it!
Google should fix it, period. It's a security risk that Google created however unintentionally and they need to address it. No question.