Developer misleads Android users with ‘Inception bar’ in Chrome

A developer has identified a potential security vulnerability in Chrome. It is possible to hide the url bar, while the page displays its own url bar. This opens up the possibility of misleading uses for phishing, for example.

Because of its function through a web page in the web page to fool the user, James Fisher calls it the “Inception bar.” Its proof-of-concept contains no malware, but does show how it works. For example, when scrolling up, the page with the explanation shows a URL bar containing the page of the bank HSBC. As a result, malicious parties could use the technique for spoofing.

If the url bar disappears from view, the developer puts the entire page in a scroll jail, with a scroll:overflow element in the code. If the user then scrolls up, it will happen in that element of the webpage, but not on the page itself. As a result, Chrome will not display the URL bar again.

The technique also works with scrolling all the way up with a large padding element at the top of the page. This returns the user to the beginning of the article. The technology does not work flawlessly. In some cases, the browser does display the bar, so a double bar is shown.

The technique would no longer work if Google decided not to automatically hide the URL bar in Chrome for Android. This is happening for the time being, so this technology will continue to function for the time being. Google has not yet commented on the proof-of-concept.

Your browser does not support the video tag.