[ad_1]
When is an address bar not an address bar?
When it's a fake.
Security researcher James Fisher has encountered a sneak attack that could prompt unsolicited mobile users to navigate a phishing site with an address bar displaying a legitimate URL.
This trick exploits the way the Android version of the Chrome browser saves valuable real estate on a small screen. When you scroll down a web page on your mobile device, Chrome's address bar disappears so you can see more of the page. Fisher used this to introduce a fake UI attack.
His attack displays a fake URL bar instead of the real one. This URL bar is only one element of the page, so it can say anything you want. It could even be an image of an address bar if you like. An attacker could use it to simulate your bank's website, but display a dummy address bar displaying his legitimate address, deceiving you into believing that the site is genuine.
You should be able to check the actual address bar by simply scrolling to the top of your webpage because Chrome will show the address again. Fisher also has something to avoid that. It moves the entire Web page to a new item with its Cascading Style Sheet (CSS) property set to overflow: scrolling. the overflow The property contains instructions on what to do if it has too much content to display at the same time. Setting scroll has it introduce a scrollbar.
The result is a Web page in a web page, which contains its own scroll bar. Users who scroll back and forth in the content of the web page think that they are scrolling to the top of the original web page, but they are actually scrolling an item from that page. This means that they access the top of the content of this element, but not the original web page.
If this does not mislead the user and tries to scroll again, Fisher confuses him again with a fill element at the top of the fictitious item. This returns the user when he tries to scroll the screen up, which gives the impression that the page is refreshed, without ever placing it at the top of the actual Web page . Thus, they will not see the legitimate home address bar unless pressing the browser's Back button or reloading the page.
Fisher says:
With a little more effort, the page could detect the browser in which it is located and create a bar for this browser. With even more effort, the starter bar could be made interactive.
Here is a demonstration of the attack in Chrome on mobile. It works on both iOS and Android versions of Google's browser.
Fisher calls this exploit the "bar of creation", comparing it to the dream attacks we saw in the movie Inception. In this movie, criminals infiltrated people's dreams and fooled the victim without knowing it, who did not realize they were dreaming. The criminals used a spinning top to say whether they dreamed or were awake. The summit turned indefinitely in the dream but fell into reality.
What is the Chrome equivalent of a router?
The most obvious way to avoid falling under this trick is to check the actual address bar before scrolling the screen.
Press the Back button on your browser or reload the webpage are two options if you are already lower in the page.
You can also remember that if Chrome Mobile shows you an address bar while you are in the middle of the page, there is something wrong.
… or you can switch to iOS. We tested the attack on an iPhone with Safari and Chrome. Both browsers display both the wrong address bar and the legitimate bar, making the attack much less efficient.
[ad_2]
Source link