An experimental feature in Chrome that is set to prevent phishing attacks, may be backfiring, according to security firm PhishMe. Google is in the process of testing an “Origin Chip” that hides the view of a website’s full URL. This new setup instead displays the domain name of the site being visited, along with a search bar available for fast access. The idea is that only displaying a site’s domain name is far less distracting than a lengthy URL.
The Origin Chip feature is currently available in Chrome Canary, an experimental version of Google’s web browser aimed at developers and early adopters. This beta feature can be enabled under the “chrome://flags/” menu option in Canary. However, the Origin Chip can also be toggled in the stable version of Chrome.
In its research, PhishMe found that if a URL is too long, Chrome will not display a site’s domain name at all. Instead, the browser will show an unmarked Omnibox (address bar), with the ghost text “Search Google or type URL.”
“While Canary is intended to help the user identify a link’s true destination, it will actually make it impossible for even the savviest users to evaluate the authenticity of a URL,” wrote Aaron Higbee and Shyaam Sundhar of PhishMe.
The cutoff between seeing a website’s domain name or a blank Omnibox in Canary depends on the browser’s window size, however Origin Chip typically will not display URLs in excess of 98 characters, according to PhishMe’s findings.
Google openly warns users that Chrome Canary is a testing platform and that it may even occasionally break. However, these findings could make the search giant rethink its strategy, or at least motivate the company to offer a better warning to users experimenting with its web browser.