Google's Chrome for Android browser has a major vulnerability that could cause some real problems for anyone surfing the web.
Credit: James Fisher
Security researcher James Fisher has discovered that he can combine three different functions in Chrome for Android in a way that would let an attacker create a fake address bar and permanently hid the real address bar. Worse yet, the attacker can lock you into a fake browser, creating even more problems.
Fortunately, we don't yet know if any real online criminals are using this method to lure unsuspecting Android users to phishing pages. But now that Fisher has written about it, we're likely to see it happen soon.
If you use Chrome for Android, you'll notice that when you scroll down on a page, the address bar at the top of the Chrome screen goes away. But there's nothing preventing anyone from creating a webpage that embeds a fake Chrome for Android address bar that appears to stay on the screen even when you scroll down.
When you're on a standard, safe page, when you scroll back up, the address bar will reappear with the correct URL in it. On an altered page, you'd normally then see two address bars, which would alert you that something is wrong.
However, Fisher points out that it's easy to insert a couple of legitimate functions into a webpage's code so that the real address bar never reappears in Chrome for Android and the fake URL will stay up.
That's the big problem here. The tweaks -- which again are completely kosher Chrome functions -- effectively create a browser within a browser, so when you try to scroll back up, you're locked in a browser with a fake URL instead of one with the correct URL.
So, what does this mean for your security? According to Fisher, it's tough to say. You could conceivably hit the Back button on the browser and get back to scratch, but you'll still be on a page that's been hacked. And whether it has been used in any truly malicious ways so far is unknown.
But what's most concerning about it is how easy it is to design a page that can combine these design elements to take advantage of the Chrome for Android user. The only way to verify that you're on the correct page is at the point of loading the page and not scrolling. As soon as you scroll, you're in trouble.
So far, Google hasn't commented on this issue and there's no telling when, or even if, a fix will be coming. Fisher's not even sure if the flaw can be easily fixed because there's a "trade-off" that could be easily witnessed "between maximizing screen space on one hand, and retaining trusted screen space on the other," he said. But he suggests that maybe Chrome could indicate to users that the true address bar has been collapsed.
Cover Image: ymgerman/Shutterstock