Welcome to HSBC, the world’s seventh-largest bank! Of course, the page you’re reading isn’t actually hosted on hsbc.com; it’s hosted on jameshfisher.com. But when you visit this page on Chrome for mobile and scroll a little way, the page is able to display itself as hsbc.com - and worse, the page is able to jail you in this fake browser! In this post I show how the attack works, then suggest some ways Chrome can fix this vulnerability, then finally show you how to get out if you’re still stuck here. But first, the proof:



In Chrome for mobile, when the user scrolls down, the browser hides the URL bar, and hands the URL bar’s screen space to the web page. Because the user associates this screen space with “trustworthy browser UI”, a phishing site can then use it to pose as a different site, by displaying its own fake URL bar - the inception bar!

This is bad, but it gets worse. Normally, when the user scrolls up, Chrome will re-display the true URL bar. But we can trick Chrome so that it never re-displays the true URL bar! Once Chrome hides the URL bar, we move the entire page content into a “scroll jail” - that is, a new element with overflow:scroll. Then the user thinks they’re scrolling up in the page, but in fact they’re only scrolling up in the scroll jail! Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser. Here’s a video of the hack in use:

Read more: The inception bar: a new phishing method

Tweet

— Twitter API (@user) View on Twitter

Posted By: Brink
29 Apr 2019