MALICIOUS WEBSITES could exploit Chrome on Android to display a fake address bar to trick users into thinking they're on a different site to the one they're actually accessing.
Developer Jim Fisher found the exploit and revealed how, with little more than a few web design tweaks, one could manipulate how Chrome on Android displays the address bar.
With a normal, friendly website, the Chrome browser gives up the address bar's screen space to the web page content when an Android user scrolls down a page.
But Fisher found that a malicious website could trick Chrome into redisplaying what looks like a legit address bar, but on it would be a fake one that could show a different URL to the site's actual address. As such, it could be used to dupe users that they are on the right site.
"We can trick Chrome so that it never re-displays the true URL bar! Once Chrome hides the URL bar, we move the entire page content into a "scroll jail" - that is, a new element with overflow:scroll," explained Fisher.
"Then the user thinks they're scrolling up in the page, but in fact they're only scrolling up in the scroll jail! Like a dream in Inception, the user believes they're in their own browser, but they're actually in a browser within their browser.
"But it gets even worse! Even with the above "scroll jail", the user should be able to scroll to the top of the jail, at which point Chrome will re-display the URL bar. But we can disable this behaviour, too! We insert a very tall padding element at the top of the scroll jail. Then, if the user tries to scroll into the padding, we scroll them back down to the start of the content! It looks like a page refresh."
The exploit doesn't harvest data or enable the execution of any nasty code, so we'd imagine it would require a degree of social engineering to get someone onto the site.
But once they're on it, it could allow for a dodgy site to pretend to be legit, potentially encouraging people to share sensitive data or direct them to malware loaded pages and other places with digital nasties.
At the time of writing, there's no immediate fix, and Fisher said he doesn't really know how people can guard themselves against the attack, but he does suggest some fixes.
"There's a trade-off, between maximizing screen space on one hand, and retaining trusted screen space on the other," said Fisher.
"One compromise would be for Chrome to retain a small amount of screen space above the "line of death" instead of giving up literally all screen space to the web page. Chrome could use this space to signal that 'the URL bar is currently collapsed', e.g. by displaying the shadow of an almost-hidden URL bar."
We guess that'll be another gremlin Google will have to iron out of Android. µ
Bad for shareholders, mildly good for the planet
YouTube on the Tube
Claims that it hasn't ever actually worked