Generally speaking, we’ve come to trust our browser’s address bar to know whether a site we’re on is legitimate or not. A developer has demonstrated an exploit that can make you believe you’re on a legitimate website by showing a fake version of Chrome for Android’s full address bar.
Posted to his personal blog, developer Jim Fisher was able to publicly demonstrate that a website can easily replace Chrome for Android’s address bar and tabs UI, using only a handful of web design tricks.
Essentially, when you scroll down any page in Chrome for Android, the top UI with your address bar and tabs button are hidden from view. What Fisher found was that you could “jail” the scrolling of the page, which allows you to scroll back up the page without Chrome for Android showing its UI again.
Next, when you try to scroll up, the page can display an image of a fake address bar at the top of the screen, where Chrome for Android’s UI normally is, with a completely different URL, including the lock icon that tells you whether a page is “secure.”
To help give an idea of what this looks like, Fisher included a visual demonstration of the address bar exploit in action. In the exploit video, you can see the real address bar that shows “jameshfisher.com” get swapped for a fake one that says “hsbc.com.”
One of the more concerning aspects of the exploit is that you can’t easily leave the page without access to Chrome for Android’s address bar. It should be as easy as hitting the “Back” button on your device, but plenty of websites have shown how easy it is to override your browser’s back button (though Google does have a fix in the works).
Currently, the best way to check whether your address bar has been tampered with is to lock your phone, then unlock it again. This should force Chrome for Android to show its real address bar and leave the fake, exploited one on display too, seen below. To try the exploit out for yourself and learn more about how it works, be sure to check out Fisher’s full blog post in Chrome for Android.