Nowadays, internet scams happen literally every day, especially when we’re on the smartphone and less alert. Usually, a good security practice is to constantly consult the URL that we are visiting. But from now on, that may not be enough!
A developer – James Fisher – has faced a possible Google Chrome security flaw that could easily be exploited by hackers to implement phishingattacks . Essentially, it managed quite simply, to make Google Chrome for Android present itself a URL bar with an address other than the actual one.
To prove his concept, he replicated the experience on his own personal website where users might be misled into thinking they would be on the site of the popular HSBC bank. Fisher called this tool the ‘inception bar’, clearly inspired by the popular film with Leonardo DiCaprio, and it will be easy to see why.
How does this ‘The Inception Bar’ work, and why is it so dangerous!
When you visit a page in Google Chrome for Android, the header where the URL appears disappears as soon as you scroll down a bit . Although when you go back to the top of the page the browser re-presents the original bar, Fisher found a fairly easy way to prevent this from happening by displaying a bar with a fake URL.
The way he described this process is frighteningly simple, explaining that it basically ‘catches’ the user inside a ‘scroll jail’. That is, it is as if you are trapped in a browser within your own browser, without knowing that this is happening.
By adding a blank space at the top of this ‘prison’. Not only can you prevent Google Chrome from displaying the original header again, but you can simulate animation of the page refresh in a way.
Taking this situation to an even more serious level, James Fischer states that with a little more work, it will not be difficult to make this fake header fully interactive.
Hackers can take advantage of this vulnerability to implement pishing scams that could endanger millions of users without them being able to defend themselves.
What is a Phishing Scam ?
This type of scam is usually very simple, and its main objective is to be able to acquire personal information of its victims. More specifically, it tricks victims by displaying a replica of an institution login page (bank, social network, paypal, etc.), causing users to reveal their login information thinking that they are accessing your account.
So far, one of the most effective ways to avoid these situations is by checking the URL of the page. However, when you apply this inception bar , this will no longer be possible.
How can you protect yourself from this type of scam?
Honestly, it’s almost impossible to protect yourself against this scheme if it starts to be implemented. By locking / unlocking your smartphone, when Google Chrome appears again, you can see the two address bars at the same time. However, unless you begin to suspect (literally) every page you visit, it is almost impossible to account for this event.
So far there has not been any indication that this vulnerability in Google Chrome is being exploited by hackers. Let’s hope that the revelations of James Fischer allow the Mountain View company to correct this flaw, before dozens of schemes begin to attack users.