'Inception Bar' hack tricks Google Chrome users

Joanna Estrada
May 2, 2019

Additionally, the hackers can also deceive users by applying modifications that will not allow users to view the real address bar, even after they scroll up.

Google Chrome mobile users need to be especially careful when visiting banking sites or other sensitive locales following the discovery of a new phishing technique.

Fortunately, this trick is focused on Chrome and is only a proof of concept for now, but when leveraged by ill agents and malicious sites, it could theoretically display fake address bars not just on Chrome but on a variety of other browsers, as well. While you scroll down, in an effort to give more space to the webpage, Chrome likes to hide the address bar, and that's exactly where this so-called "inception bar" comes in. Then, if the user tries to scroll into the padding, we scroll them back down to the start of the content!

The hackers can now use the display of address bar in the Chrome app to their advantage. Fisher used this to introduce a fake UI attack.

Even in this scenario, the user should be able to exit the "jail" by scrolling up. Once Chrome hides the URL bar, we move the entire page content into a "scroll jail" - that is, a new element with overflow:scroll.

Martijn Grooten, editor of industry journal Virus Bulletin and occasional security researcher, added: "In a parallel universe where everyone checks the actual URL in the address bar to determine whether a site is legitimate this is pretty scary indeed".

The updated version of Google Calendar has only got the reference strings for the Dark Mode feature. The top spun indefinitely in the dream but fell over in reality. Yes, it should be easy as hitting the back button on their device, but plenty of websites have shown that this is easy to override.

Or you could remind yourself that if Chrome mobile is showing you an address bar at all while you're halfway down the page, then something is phishy. The only time the user has the opportunity to verify the true URL is on page load, before scrolling the page.

According to a 9t05Google report, the best method to check whether your address has been meddled with is to lock the phone, then unlock it again.

Other reports by Click Lancashire

Discuss This Article