Android users: watch out for this fake address bar trick

When is an address bar not an address bar?

When it’s a fake.

Security researcher James Fisher has run across a sneaky attack that could fool unwitting mobile users into browsing a phishing site with an address bar displaying a legitimate URL.

The trick exploits the way that the Android version of the Chrome browser saves valuable small-screen real estate. When you scroll through a webpage on your mobile device, Chrome’s address bar disappears so that you can see more of the page. Fisher used this to introduce a fake UI attack.

His attack displays a fake URL bar where the real one used to be. This URL bar is just an element on the page, so it could say anything you want. It could even be an image of an address bar if you liked. An attacker could use this to fake your bank’s website but display a fake address bar showing its legitimate address – fooling you into thinking the site is authentic.

You should be able to check for the real address bar by just scrolling back to the top of your webpage, as Chrome will redisplay the address. Fisher has a trick to dodge that as well. He moves the entire webpage into a new element with its cascading style sheet (CSS) property set to overflow:scroll. The overflow property contains instructions for what to do if it has too much content to display at once. Setting scroll makes it introduce a scrollbar.

The result is a webpage within a webpage, which contains its own scroll bar. Users scrolling back up the webpage content think they are scrolling up the original webpage, but they are actually scrolling up an element within that webpage. This means they get to the top of that element’s content, but not the original webpage.

If that doesn’t fool the user and they try to scroll again, Fisher confounds them once more with a tall padding element at the top of the fake element. This bounces the user back when they try to scroll upwards, making it look like a page refresh without ever getting them to the top of the real webpage. So they won’t see the original legitimate address bar unless they hit the back button on the browser, or reload the page.

Fisher says:

With a little more effort, the page could detect which browser it’s in, and forge an inception bar for that browser. With yet more effort, the inception bar could be made interactive.

Here is a demonstration of the attack in Chrome on mobile. It works on both the iOS and Android versions of Google’s browser.

Fisher calls this exploit the “inception bar”, likening it to the dream attacks that we saw in the movie Inception. In that movie, criminals infiltrated people’s dreams and fooled the unwitting victim, who didn’t realize they were dreaming. The criminals used a spinning top to tell whether they were dreaming or awake. The top spun indefinitely in the dream but fell over in reality.

What’s the Chrome equivalent of a spinning top?

The most obvious way to avoid falling for this, should anyone employ this trick, is to double check the real address bar before scrolling down.

Hitting the back button in your browser or reloading the webpage are two options if you’re already further down the page.

Or you could remind yourself that if Chrome mobile is showing you an address bar at all while you’re halfway down the page, then something is phishy.

… or you could switch to iOS. We tested the attack on an iPhone in both Safari and Chrome. Both browsers displayed both the fake address bar and the legitimate one, rendering the attack far less effective.