The new "introductory bar" phishing method distorts Chrome's address bar as you scroll

The developer James Fisher has discovered a new type of potential phishing attack. Called the "creative bar" by its creator. The attack allows a site to spoof a URL in the mobile version of Chrome when scrolling and then lock it into a fake user interface. In fact, the site detailing this newly discovered flaw uses it, seeming to show an HSBC URL.

The launch bar attack takes advantage of the fact that Chrome on mobile masks the address bar when scrolling. While this is a really useful feature on a smaller screen, allowing you to see more content in the limited space provided, this attack manipulates this feature, replacing the URL bar with a fake one after that the real be hidden, thus exploiting the implicit trust the recognizable user interface element. Worse, it is able to prevent the actual bar from reappearing when you scroll back as it should, using what the developer calls "scroll jail" by locking the user into an overflow container, complete with a false page refresh if it scrolls too much.

In this case, the fake bar is simply a static image that specifies the address of the HSBC as a proof of concept (and it sometimes bug, showing the two bars), but nothing prevents such malicious people and enterprising to create an interactive and dynamic environment. bar using the same tools. The address bar and menu built into the fake user interface could offer interactivity for a more convincing effect. In this case, even trying to navigate to the appropriate URL if you choose any type of sketch does not matter, because you would use the wrong bar of ####################################################################################### 39; URL. Even worse, a really well-designed site can extract content from a URL that you enter manually to better use it. In other words, once you have loaded a site with the start bar, there is hardly any way to know if or when you left – hence the name.

Video demonstration of James Fisher.

Once you have tried to open your list of open tabs, dive enough into Chrome's menus or go back enough, the template was up and running, but the creative bar could easily trick many people Between us before going so far.

Fisher sees this as a security breach with no easy solution, and it's hard not to disagree. Until now, this type of potential attack is not (yet) used in nature, but there does not seem to be any obvious way to mitigate it without changing the way in which Chrome manages the hiding of the URL bar on the mobile when scrolling.