Scroll trickery used to present Chrome mobile users with a fake address bar

Potential phishing technique compared to Inception’s dream within a dream

Google Chrome mobile users need to be especially careful when visiting banking sites or other sensitive locales following the discovery of a new phishing technique.

Security researcher James Fisher has shown how it’s possible for a malicious mobile site to imitate the Chrome navigation bar. Worse yet, as the user scrolls down the real URL bar gets hidden because of the browser’s built-in AutoHide functionality.

The fake address bar attack is limited to Google Chrome. Firefox and other mobile browsers aren’t affected, according to Fisher.

“In Chrome for mobile, when the user scrolls down, the browser hides the URL bar, and hands the URL bar’s screen space to the web page,” Fisher explains in a blog post.

“Because the user associates this screen space with ‘trustworthy browser UI’, a phishing site can then use it to pose as a different site, by displaying its own fake URL bar – the inception bar.”

Scroll jail

Fisher said that by re-rendering a mobile web browser navigation bar with a fake one, users might easily be fooled into thinking they are on a legitimate website.

“Normally, when the user scrolls up, Chrome will re-display the true URL bar,” he explained. “But we can trick Chrome so that it never re-displays the true URL bar.

“Once Chrome hides the URL bar, we move the entire page content into a ‘scroll jail’ – that is, a new element with overflow:scroll. Then the user thinks they’re scrolling up in the page, but in fact they’re only scrolling up in the scroll jail.”

Fisher compares the situation of surfers being trapped in a false environment, or dream akin to the situation faced by characters in the Christopher Nolan’s Sci-Fi classic, Inception. The metaphor allows Fisher to dub the attack ‘Inception Bar’.

Other security experts were impressed by discovery of the left-field security bug, even though they were skeptical about how much of a practical problem it presents.

Chris Boyd, a security researcher at Malwarebytes, told The Daily Swig that he doubted the trick would make much difference to the success or otherwise of phishing attacks.

Boyd said: “Someone, somewhere, might conceivably think ‘is this really the real thing’ and scroll back up, but I reckon that’s about 10 people in the history of forever. I’d be amazed if anyone about to be phished isn’t already done for, long before you ever reach that point.”

Martijn Grooten, editor of industry journal Virus Bulletin and occasional security researcher, added: “In a parallel universe where everyone checks the actual URL in the address bar to determine whether a site is legitimate this is pretty scary indeed. In this universe, it’s an interesting proof of concept, but not more than that.”

Others argue that the security weakness is ripe for exploitation unless it is addressed by browser vendors.

Vendor urlscan.io argued: “It’s just one other thing feature to make a phishing page more believable. Someone might open a page, scroll down, then wonder ‘wait a minute, is this really HSBC?’ scroll back up and be fooled. And you can host a phishing page on HTTP while still getting a fake HTTPS green lock.”

Gavin Millard, vice president of intelligence at Tenable, commented: “Google and others should consider implementing mitigation techniques like the ‘Line of Death’ to make the demarcation between browser UI and web content more obvious.”

It’s unclear whether or not Google considers the security weakness outlined by Fisher worthy of remediation. The Daily Swig asked Google to comment and we’ll update this story as and when more information comes to hand.