Google’s efforts over the year to improve its Chrome browser on mobile platforms has now given rise to a new exploit that could be used in phishing attacks on Android and iOS, according to security researcher James Fisher. Specifically, the researcher says that a combination of Chrome’s automatically-hiding URL Omnibox and sophisticated features that allow web developers more control over a website’s interactions could let bad actors create fake URL bars to steal user’s information or lock them into a web page.
The potential attack is instantiated when a web developer implements their own UI to mimic the Omnibox at the top of the page. That can be loaded up in tandem with a scroll so that it only appears after the user has left the real URL bar behind. With sufficient padding above that mockup UI, a web page can force the user to return to the content on the page if they try to scroll past the fake UI — an action Mr. Fisher says mimics a page refresh.
In the most extreme cases, where the Omnibox disappears completely, users will only see the fake URL box. The false UI could potentially be made interactive too, pulling data about the user’s browser to draw up a working doppelganger. If that happens, the exploit could then be tied to other vulnerabilities, allowing redirects to other fake pages that steal credentials. That includes bank pages or email login pages, among others.
Avoiding the issue
The problem is that many Chrome users simply wouldn’t notice that something is off about their Omnibox if properly implemented by a malicious entity. The source has also noted that a fake Omnibox UI so convincing that he interacted with several of his own on multiple occasions despite being aware that it wasn’t real.
For most users, the exploitable features won’t pose much risk, particularly if they’re wary about where and when sensitive information is put into a field and interact with the URL bar frequently. There’s also no evidence that the exploit has been used nefariously just yet.
The fact that Mr. Fisher fell for his own fake Omnibox creations does reveal that diligence may not be enough though. So Chrome users should take care to be more aware of their browsing habits and the information they’re entering online.
With regard to a more permanent fix, there doesn’t seem to be one as of this writing and the security research isn’t sure exactly how the problem might be fixed. Google may need to stop hiding the Omnibox completely or only partially hide it, Mr. Fisher says. The vulnerability may end up affecting Chrome OS too if a fix isn’t found and implemented since Google has previously worked to bring UI hiding changes to that platform as well.
Not the first time and probably not the last
This isn’t the first time Google has had issues with new features breaking down security for its widely popular web browser. On desktop Chrome, for example, the company had previously started allowing web developers to create their own extensions for the browser and to let users install them off-site. That ultimately led to the creation and spread of fake or malicious extensions, forcing Google to roll back that change completely.
Google has similarly spent an enormous amount of resources and time to make Chrome more user-friendly and immersive. Taken in combination, that’s led to the exploit in question. It remains to be seen if or how Google addresses the latest issue but it may turn out to be a similar situation, with the only viable solution being to remove the features.
Regardless, as the search giant continues to break new ground in immersion and PWAs to further cement its placement at the top of the browser pile, there will almost certainly be more problems that crop up.