A phishing attacker would be relying on the chance that users aren't paying attention after clicking a link in a message and scrolling down, at which point Chrome on Android hides the URL bar and gives that space to the web page. Chrome on iOS, which is based on Apple's WebKit, continues to display the original URL bar.
But on Android that's where a phishing attacker could test potential victims' alertness with a fake URL bar that's built into the phishing web page.
Fisher points out a second potential way a phishing attacker could trick users and game Chrome's design.
The attack he proposes could use a padding element to prevent Chrome from showing the URL bar again when the user scrolls, which is when Chrome would normally display it again. The user is then in 'scroll jail'.
"Normally, when the user scrolls up, Chrome will redisplay the true URL bar. But we can trick Chrome so that it never redisplays the true URL bar. Once Chrome hides the URL bar, we move the entire page content into a 'scroll jail' – that is, a new element with overflow:scroll. Then the user thinks they're scrolling up in the page, but in fact they're only scrolling up in the scroll jail."
Fisher named his attack after the sci-fi mind-bender starring Leonardo DiCaprio 'Inception', a film about stealing information by breaking into others' dreams.
"Like a dream in Inception, the user believes they're in their own browser, but they're actually in a browser within their browser."
While it's unlikely Google would consider this technically a security 'vulnerability' as Fisher calls it, it's not the first time a Google feature he's spotlighted has been exploited by scammers for crime.
Scammers created Gmail accounts with extra dots and used them to con Netflix account owners into adding their payment card details to a scammer's account.
The trick works because while Gmail doesn't recognize the dots, most other online services do recognize the dots in an email address and allow the creation of new accounts based on the dotted accounts.
As ZDNet reported earlier this year, scammers had used this ruse to apply for fraudulent unemployment benefits and file fake tax returns, as well as bypass trial periods for online services.
The inception flaw is also a tricky one to fix. However, Fisher suggests Google Chrome could have a small space at the top of the screen to show that the URL bar has been collapsed.