We hardly ever check the address bar on the browser for its authenticity. According to security researcher James Fisher, he has found a way on Chrome for Android that could allow an attacker to create a fake address bar, and also hide the real one. Unfortunately, it could serve as an invitation to cyber attackers to trap you in the fake address bar, causing a potential threat to secure browsing.
Fake address bar – how it works?
According to Fisher, he has discovered three functions on Chrome for Android that an attacker can use to create a fake address bar and permanently hide the real bar. Moreover, an attacker can also lock a user into the fake browser, thereby creating more problems.
So far there have been no such reported cases, but now that Fisher has reported about it, we may see cyber-attackers deploying such a trick. Hopefully, Google has already fixed or will fix this loophole soon.
Talking of the flaw that Fisher has discovered, if a user scrolls down a page on Chrome for Android, the address bar at the top of the screen goes away. So, an attacker can create a webpage with a fake address bar that stays on the screen even when a user is scrolling down.
When a user scrolls back up, usually the address bar also reappears with the correct URL. However, on a page that has been distorted by an attacker, a user may see two address bars. This should serve as a warning bell for the user.
Fisher, however, notes that an attacker can easily hide the real address bar by using legitimate functions in Chrome. This will ensure that the real address bar does not reappear, while the fake one stays.
Is the fix coming?
Technically, such a trick creates a browser within the browser. So, when a user scrolls up they get locked into a browser carrying the fake address bar. Users, in this case, have no way of knowing if they are on a legitimate page or the fake one.
“Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser,” Fisher says in a post.
Such an issue is concerning, but what is even more concerning is how easily an attacker can apply such deceit using the legitimate Chrome for Android functions.
So far, there have been no comments on the issue from Google. Thus, there is no information on when this loophole will be plugged. Fisher, on the other hand, says he is not sure if this can be easily fixed as Chrome for Android may lose some features in the process.
Fisher refers to this situation as a “trade-off between maximizing screen space on one hand, and retaining trusted screen space on the other.” However, he suggests a workaround that Chrome could somehow inform users that the original address bar has been compromised.
How to stay safe?
Until Google comes up with a fix for this fake address bar issue, there are a few tricks that can be used to identify the fake address bars.
The first trick is forcing the Chrome app to reveal the UI even when you have scrolled down and the address bar is no longer visible. To do this first lock your phone while the Chrome app is open, then unlock it. When you do this, Chrome automatically resets and shows the address bar. If you are facing any phishing attack, you will notice two address bars on unlocking the phone. The top one will be the true URL, while the bottom one would be the fake one.
Second trick is keeping a watch on the number displayed in the tabs icon while using multiple tabs. In such a case, the fake address bar would show incorrect display numbers.
The dark mode in Chrome for Android could also help in detecting the fake address bars. When the dark mode is enabled, all the UI elements and the address bar will be black, but the fake address bar will be in white, thus making it easier to spot them. The same trick can also be applied when using the reader mode, simpler UI modes, or alternate themes in Chrome.
A point to note is that none of the above tricks are fool-proof, and it is possible that hackers find a way to bypass them as well. Also, one would not use these tricks normally while browsing, so a user has to remember to use these tricks to avoid the trap.
So, until Google comes up with a permanent fix, it is advisable that you be careful while browsing, especially banking sites for example, and use the tricks above to stay safe and avoid falling into the phishing trap.
