In a proof-of-concept (PoC) blog post published earlier this week, developer James Fisher disclosed a new phishing method in Chrome for mobile on Android in which the browser hides the URL bar.
After hiding the URL bar, the browser “passes the URL bar’s screen space to the web page. Because the user associates this screen space with 'trustworthy browser UI,' a phishing site can then use it to pose as a different site, by displaying its own fake URL bar – the inception bar,” Fisher wrote.
“In my proof-of-concept, I’ve just screen shotted Chrome’s URL bar on the HSBC website, then inserted that into this webpage. With a little more effort, the page could detect which browser it’s in, and forge an inception bar for that browser. With yet more effort, the inception bar could be made interactive. Even if the user isn’t fooled by the current page, you can get another try after the user enters 'gmail.com' in the inception bar!”
Still, Fisher’s post has gotten a variety of responses on Twitter, with several noting that they are unable to get the PoC working on Chrome.
No tags.
