Skip to main content

Chrome for Android exploit tricks users with fake address bar, here’s how to avoid it

Generally speaking, we’ve come to trust our browser’s address bar to know whether a site we’re on is legitimate or not. A developer has demonstrated an exploit that can make you believe you’re on a legitimate website by showing a fake version of Chrome for Android’s full address bar.

Posted to his personal blog, developer Jim Fisher was able to publicly demonstrate that a website can easily replace Chrome for Android’s address bar and tabs UI, using only a handful of web design tricks.

Essentially, when you scroll down any page in Chrome for Android, the top UI with your address bar and tabs button are hidden from view. What Fisher found was that you could “jail” the scrolling of the page, which allows you to scroll back up the page without Chrome for Android showing its UI again.

Next, when you try to scroll up, the page can display an image of a fake address bar at the top of the screen, where Chrome for Android’s UI normally is, with a completely different URL, including the lock icon that tells you whether a page is “secure.”

To help give an idea of what this looks like, Fisher included a visual demonstration of the address bar exploit in action. In the exploit video, you can see the real address bar that shows “jameshfisher.com” get swapped for a fake one that says “hsbc.com.”

One of the more concerning aspects of the exploit is that you can’t easily leave the page without access to Chrome for Android’s address bar. It should be as easy as hitting the “Back” button on your device, but plenty of websites have shown how easy it is to override your browser’s back button (though Google does have a fix in the works).

Currently, the best way to check whether your address bar has been tampered with is to lock your phone, then unlock it again. This should force Chrome for Android to show its real address bar and leave the fake, exploited one on display too, seen below. To try the exploit out for yourself and learn more about how it works, be sure to check out Fisher’s full blog post in Chrome for Android.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Google on YouTube for more news:

Comments

Author

Avatar for Kyle Bradshaw Kyle Bradshaw

Kyle is an author and researcher for 9to5Google, with special interests in Made by Google products, Fuchsia, and uncovering new features.

Got a tip or want to chat? Twitter or Email. Kyle@9to5mac.com

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications