A security researcher has developed a proof of concept exploit for the Google Chrome Android web browser that could allow a hacker to create a fake address bar, and also hide the real one.
According to security researcher James Fisher, he discovered that in Chrome for Android a hacker could not only create a fake address bar and permanently hide the real bar, they could also lock a user into the fake browser.
"Normally, when the user scrolls up, Chrome will re-display the true URL bar. But we can trick Chrome so that it never re-displays the true URL bar! Once Chrome hides the URL bar, we move the entire page content into a "scroll jail" - that is, a new element with overflow:scroll," said Fisher in a blog post.
He added that the victim would think that they’re scrolling up in the page, but in fact they’re only scrolling up in the "scroll jail".
"Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser," he said.
He said that even with the above "scroll jail", the user should be able to scroll to the top of the jail, at which point Chrome will re-display the URL bar.
"But we can disable this behaviour, too! We insert a very tall padding element at the top of the scroll jail. Then, if the user tries to scroll into the padding, we scroll them back down to the start of the content! It looks like a page refresh," he said.
Currently there are no fixes for the problem. Fisher the problem is a "trade-off between maximizing screen space on one hand, and retaining trusted screen space on the other."
"One compromise would be for Chrome to retain a small amount of screen space above the "line of death" instead of giving up literally all screen space to the web page. Chrome could use this space to signal that "the URL bar is currently collapsed", e.g. by displaying the shadow of an almost-hidden URL bar," said Fisher.
Tod Beardsley, research director at Rapid7, told SC Media UK that the technique demonstrated by Fisher demonstrates that, on mobile, even cautious users are getting ever-more hamstrung when it comes to inspecting the veracity of websites.
"IT security pros often find themselves advising people to "be careful" when it comes to visiting websites with sensitive data, but this advice is pretty nonsensical when attacker-controlled content can realistically overwrite chunks of the user's screen -- especially those chunks users have trained to trust -- or when the UI simply doesn't provide meaningful security indicators," he said.
"On desktop environments, we urge users to visually inspect links by hoovering their mouse over the hyperlink text and looking at the target at the bottom of the screen. Alas, this action is impossible on nearly all mobile platforms, so in order to confirm we are where we think we are, we'll have to click on that maybe-suspicious link, then verify the URL bar after the fact. Fisher's proof-of-concept invalidates even this too-late validation check."
Beardsley added that when it comes to visual cues about security, things aren't great today on mobile, and haven't been for a while
"I wish I could give better advice than simply, "be careful," but unfortunately, that's about all I can say until mobile OS developers come up with a UI that is actually trustworthy."