A new type of potential phishing attack has been discovered by developer James Fisher. Called the "inception bar" by its creator. The attack allows for a site to spoof a URL in the mobile version of Chrome when scrolling, subsequently locking them into a false UI. In fact, the site detailing this newly-discovered flaw makes use of it, appearing to show an HSBC URL.
The inception bar attack takes advantage of the fact that Chrome on mobile hides the address bar when scrolling. While that's a feature that is genuinely useful on a smaller screen, allowing you to see more content in the limited space provided, this attack manipulates that feature, replacing the URL bar with a fake after the real one is hidden, exploiting the implicit trust behind the recognizable UI element. Worse, it's able to prevent the real bar from reappearing when you scroll back up as it should, using what the developer calls "scroll jail" by locking the user into an overflow container, complete with a fake page refresh if they scroll up too far.
The fake bar, in this instance, is just a static image that spoofs the HSBC address as a proof of concept (and it bugs out on occasion, showing both bars), but nothing is preventing more maliciously enterprising individuals from creating an interactive, dynamic bar using the same tools. The address bar and menu built into the fake UI could offer interactivity for a more convincing effect. In that case, even trying to navigate to the proper URL if you pick up on any sketchiness wouldn't matter, as you'd be using the fake URL bar. Worse, a truly well-engineered site could pull content a URL you manually enter to better spoof it. In other words, once you've loaded a site with the inception bar, there would be little way to know if or when you left — hence the name.
Demonstration video by James Fisher.
Once you try to open your list of open tabs, delve far enough into Chrome's menus, or navigate back far enough, the jig would be up, but the inception bar could easily fool many of us before we get that far.
Fisher sees this as a security flaw without an easy fix, and it's hard not to disagree. So far this potential type of attack isn't being used in the wild (yet), but there doesn't seem to be an obvious way to mitigate it without changing how Chrome handles hiding the URL bar on mobile when scrolling.
- James Fisher