In an effort to improve the Chrome browser in the mobile platforms, Google may have just uncovered what seems to be some serious exploits that can be used for phising attacks.
Apparently, the Chrome feature on Android devices where the URL is hidden to give way to more screen space has something to do with it. And while it is a little a handy for some users, it could pose some dangers.
Chrome On Android: Updates Expose New Exploits
According to security researcher James Fisher, Chrome’s automatically-hiding URL Omnibox and sophisticated features allow web developers to have more control over website’s interactions.
This could also give scammers a chance to create fake URLs and lure users in to steal that user’s information in a phising attack or lock them into the web page.
If a user is not paying attention on a link or message that he/she is clicking, a phising attacker could take advantage of that. When users scroll down, at some point Chrome on Android hides the URL that gives more space to the web page.
Meanwhile, Chrome on iOS does not have the same issue for it is based on Apple’s WebKit and still continues to display the original URL even if you reached the bottom of the page.
So that is why, Android is far more vulnerable than iOS with these phising attackers.
From Worse To Worst…
The potential attack was chanced upon when a web developer implemented their own user-interface to mimic the Omnibox at the top of the page.
In Chrome for Android, when the user scrolls down, the browser automatically hides the URL bar. Because the user associates this screen space with “trustworthy browser user-interface”, a phishing site can use it to pose as a different site by displaying a fake URL – an inception bar.
Normally though when a user scrolls up the web page, the real URL reappears, but that is not the case here. The phishing attackers can trick Chrome into displaying their own fake URL instead. So, there would be no getting out of the fake web page at all.
The fake user-interface could also be made interactive too. It can pull up data about the user’s browser to draw up a working doppelgänger. If this happens, the user could be vulnerable, allowing redirects to fake web pages.
And with just a couple of clicks, these web pages could steal credentials that include email log-in and password, bank pages, as well as personal information like home address and such.
Chrome on Android users won’t easily notice if there are something off or suspicious in their browsers. In fact, these fake user-interface are pretty convincing with the intention of really fooling the users.
For most though, the new exploit won’t pose much risk, especially for those very particular about where and when sensitive information is required and constantly check on the URL bar.
Though there has been no evidence that the exploit was used nefariously just yet, users for Chrome on Android should still heed this as a warning.