We all got used to the fact that only by looking at the address bar of our browser, you can immediately understand whether the website that we are safe or not. Yes, and the browser immediately tries to warn the user of beautynet resource if he tries to go at him. But then a developer has demonstrated an exploit that can make you believe that you are on a secure site by displaying a fake version of the address bar in your favorite browser Chrome on Android.
Writing in his personal blog, developer Jim Fisher (Jim Fisher) was able to publicly demonstrate that any web site can easily spoof the address bar in Chrome on Android and tab interface using only a few simple tricks of web design.
In fact, when you browse any page in Google Chrome, the top part of the user interface with the address bar and the icon to access the window tabs are hidden from view. Fisher found that there is a possibility to “hide” the action of flicking the pages, and that is to make the browser think that the page is not currently scroll that will allow you to scroll through a page, but the top part of the interface the address bar will not be displayed.
It was at this point on a malicious website, on which you find yourself, clicking on any link that may display a fake address bar at the top of the screen where usually is Google Chrome, with a completely different URL, but including the padlock icon that tells you the page is “safe”.
To give an idea of how it looks, Fisher recorded a video demonstrating the use of a fake address bar in action. At the moment this is a video that the developer knead my blog doesn’t work, but because I put here only screenshot Windows mobile Chrome browser with the real address bar, which purposely did not hide for the demo, and the fake address bar with a spoofed address.
One of the most important aspects of this exploit is that you can’t easily leave the page in Chrome without access to the address bar. Yes, because you can just tap the browser button “Back”, but it’s not so simple. Many web sites have already demonstrated how easy it is to remap the action button “Back” in your browser, so Google is now working on a patch for this exploit.
Currently, the best way to check whether the forged your address bar is to lock the phone, and then unlock it. This should make Chrome for Android to display your real address bar and at the same time, leave false as shown in the screenshot above. To try out the exploit in action and learn more about his work you can read the full developer post in his personal blog.
Share your opinion in the comments under this material in our Telegram chat.