At a proof-of-concept (PoC) blog post printed earlier this week, developer James Fisher revealed a new phishing method in Chrome for mobile Android in which the browser hides the URL bar.
After concealing the URL bar, the browser “passes the URL bar’s screen space to the webpage. Because this screen space is associated by the user with’browser UI,’ a website can use it to pose by displaying its own URL bar that is fake — the inception bar, & rdquo; Fisher wrote.
“In my proof-of-concept, I’ve just screen shotted Chrome’s bar on the HSBC site, then inserted that into this webpage. With a bit more effort, the page forge an inception bar, and could detect which browser it & rsquo; s in. With effort, the inception bar could be made interactive. Even if the user isn’t fooled by the page, you can get another try after the user enters’gmail.com’ in the inception bar! ”
Fisher &rsquo post has turned into a variety of responses on Twitter, with several.
“Whilst the proof of concept from Mr. Fisher is not perfect, Google and others should think about implementing mitigation techniques such as the’Line of Death’ to make the demarcation between browser UI and web content more evident,” said Gavin Millard, VP of intellect, Tenable.
“Users fall for fake sites constantly, hence the continued scourge of phishing sites, but this new approach could fool even the most cyber-savvy individual. Exploiting this could lead to information disclosure and fraud. ”
We’re constantly improving holistic solutions to phishing like security keys, Safe Browsing, and Chrome &rsquo. Our team is aware of this issue and continues to explore solutions.”