Developer James Fisher has warned of a technique for replacing the address bar on Google's Chrome browser for Android with a fake version, dubbed the Inception Bar, tricking users into thinking they are visiting one site when they are actually on another.

Given its use on smaller-screen devices, the Android version of Chrome comes with a handful of tricks for maximising the visible page area. The biggest of these is an address bar which automatically hides as the user scrolls down the page, freeing up valuable vertical pixels and reappearing when the user scrolls back up again.

Developer James Fisher, though, has discovered a technique for replacing the address bar with a fake - and preventing the real one from showing again when the user scrolls upwards. 'Normally, when the user scrolls up, Chrome will re-display the true URL bar,' Fisher explains of his trick, which is a variant on previous address bar overlay attacks. 'But we can trick Chrome so that it never re-displays the true URL bar! Once Chrome hides the URL bar, we move the entire page content into a "scroll jail" - that is, a new element with overflow:scroll. Then the user thinks they’re scrolling up in the page, but in fact they're only scrolling up in the scroll jail! Like a dream in Inception, the user believes they're in their own browser, but they're actually in a browser within their browser.'

The result: Chrome on Android visitors to James' demonstrate page will see the genuine URL at first, the attacks' only saving grace, but have it replaced with the address for a major international bank on scroll.

'Is this a serious security flaw? Well, even I, as the creator of the inception bar, found myself accidentally using it,' claims Fisher. 'So I can imagine this technique fooling users who are less aware of it, and who are less technically literate. The only time the user has the opportunity to verify the true URL is on page load, before scrolling the page. After that, there’s not much escape. How can you guard yourself against this attack? I don't really know. I see it as a security flaw in Chrome. But what's the fix? There’s a trade-off, between maximising screen space on one hand, and retaining trusted screen space on the other.'

Thus far, Google has not commented on the attack.

Discuss this in the forums
Mod of the Month April 2019 in Association with Corsair

May 8 2019 | 13:30