Google Chrome's vulnerability - "The Inception Bar"
Developer James Fisher uncovered a vulnerability on the Google chrome for Andoid web browser which according to him, could be exploited and used for phishing attacks. He proved this by using the "the inception bar"; a term which was coined by him.
The inception bar strategy has to do with the concept of tricking users with websites containing images of the system's own user interface (UI ) and this is not new in the cyber security world but this one is quite different.
Developer Fisher carried out an experiment to show proof that Google's chrome for mobile's UI and address bar can be mimicked and replaced to shows users a fake UI and address bar by executing a code to exploit Chrome for mobile. The exploit he carried out tricks users into thinking that they are on a legitimate banking website (hsbc.com). Meanwhile, the website is actually hosted by jameshfisher.com.
In James Fisher's blog post he says “In Chrome for Andoid, when the user scrolls down, the browser hides the URL bar, and hands the URL bar’s screen space to the web page,” “Because the user associates this screen space with ‘trustworthy browser UI’, a phishing site can then use it to pose as a different site, by displaying its own fake URL bar which is the inception bar"
How this exploit works is that when a user scrolls down a page in Chrome for Android, the top user interface with the address bar and tabs button are hidden from the user's view. Developer James Fisher reports that you could “jail” the scrolling of the page, which will then allow you to scroll back up the page without Chrome for Android showing its real user interface again.
Also, when a user tries to scroll up, the page can display an image of a fake address bar at the top of the screen, where Chrome for Android’s user interface normally is, with a completely different URL, including the lock icon that shows a user that a page is “secure.” it does not allow the user to see the real address bar.This fake address bar will not disappear until you move to another website.
With this exploit, you would think you were on a legit site, not knowing it's fake because the exploit mimics the legit one.
With this kind of vulnerability , both the organisation and individual users are at risk.It can be used to gain access to sensitive information such as login details and other personal personal information. Sensitive information can be used to carry out fraudulent activities or gain illegal access to an organization's network.
Fisher even wrote that he accidentally started using the inception bar as the real address bar even though he was the one who created . He fell for it. So, imagine how many clueless users would fall prey to this if this flaw is exploited for malicious purposes.
According to a post by 9to5google.com , the best way yet to check if your address bar is real or not, is to lock the phone and then unlock it again. Reportedly, doing this should force Chrome for Android to show its real address bar and leave the fake, exploited one on display to.
What is the solution to this?
According to David Winder's report on the blog post he put up on 29th April 2019, James Fisher suggests that Google would need to address the trade-off between maximizing screen space and retaining trusted screen space.
He says that Google could allow Chrome to retain some space above the line of death, rather than hand all of this to the web page and use it "to signal when the URL bar is currently collapsed by displaying the shadow of an almost-hidden URL bar."
David Winder continues, "Gavin Millard, vice-president of intelligence at security vendor Tenable, agrees. "Whilst the proof of concept by Mr. Fisher isn't perfect," Millard says, "Google and others should consider implementing mitigation techniques to make the demarcation between browser UI and web content more obvious."
Chris Doman, a security researcher for AT&T Alien Labs, also thinks that it's something Google needs to address. "This kind of fake UI is surprisingly tricky to block in all cases," Doman explains, "but Google can detect exact copy-cats of James's code fairly easily. A saving grace is this requires you to scroll down first, but it's also trivial to auto scroll down a page." "
To learn more about this , visit James Fisher's website ; https://jameshfisher.com
He explains in detail, his experiment and discovery concerning this exploit.
Reference links:
https://jameshfisher.com/2019/04/27/the-inception-bar-a-new-phishing-method/
