Chrome on Android: Phishing attackers can now trick you with fake address bar

New 'Inception' attack shows why it's still important to display the URL bar on space-constrained mobile devices.
Written by Liam Tung, Contributing Writer

Why display the URL bar on a mobile device when you can give users more screen space by hiding it? 

Google Chrome for Android does just that after a page has loaded, concealing information about the URL and expanding the screen space available to display content from the web page. 

The feature is handy for users, but developer James Fisher is drawing attention to the possibility that phishing attackers can abuse it to catch users off guard when browsing. 

SEE: How to build a successful developer career (free PDF)

As he demonstrates in a blogpost hosted on his website, the content can be made to convincingly look as if it were hosted on the website of UK banking giant HSBC, with the green HTTPS 'secure' padlock and all.

A phishing attacker would be relying on the chance that users aren't paying attention after clicking a link in a message and scrolling down, at which point Chrome on Android hides the URL bar and gives that space to the web page. Chrome on iOS, which is based on Apple's WebKit, continues to display the original URL bar. 

But on Android that's where a phishing attacker could test potential victims' alertness with a fake URL bar that's built into the phishing web page.


Content can be made to look as if it were, for example, hosted on the website of UK banking giant HSBC, with the green HTTPS 'secure' padlock.

Image: James Fisher

Fisher points out a second potential way a phishing attacker could trick users and game Chrome's design. 

The attack he proposes could use a padding element to prevent Chrome from showing the URL bar again when the user scrolls, which is when Chrome would normally display it again. The user is then in 'scroll jail'. 

"Normally, when the user scrolls up, Chrome will redisplay the true URL bar. But we can trick Chrome so that it never redisplays the true URL bar. Once Chrome hides the URL bar, we move the entire page content into a 'scroll jail' – that is, a new element with overflow:scroll. Then the user thinks they're scrolling up in the page, but in fact they're only scrolling up in the scroll jail."

Fisher named his attack after the sci-fi mind-bender starring Leonardo DiCaprio 'Inception', a film about stealing information by breaking into others' dreams. 

"Like a dream in Inception, the user believes they're in their own browser, but they're actually in a browser within their browser."

While it's unlikely Google would consider this technically a security 'vulnerability' as Fisher calls it, it's not the first time a Google feature he's spotlighted has been exploited by scammers for crime. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Fisher last year drew attention to the problem with Google's 'dots don't matter' policy for Gmail addresses, which meant if someone sends an email to 'j.o.h.n.s.m.i.t.h@gmail.com', it will still go to the owner of 'johnsmith@gmail.com'. 

Scammers created Gmail accounts with extra dots and used them to con Netflix account owners into adding their payment card details to a scammer's account. 

The trick works because while Gmail doesn't recognize the dots, most other online services do recognize the dots in an email address and allow the creation of new accounts based on the dotted accounts. 

As ZDNet reported earlier this year, scammers had used this ruse to apply for fraudulent unemployment benefits and file fake tax returns, as well as bypass trial periods for online services.     

The inception flaw is also a tricky one to fix. However, Fisher suggests Google Chrome could have a small space at the top of the screen to show that the URL bar has been collapsed. 

More on Google Chrome security

Editorial standards