Chrome on Android: Phishing attackers can now trick you with fake address bar

[LASER_oneXM]

Content source

https://www.zdnet.com/article/chrome-on-android-phishing-attackers-can-now-trick-you-with-fake-address-bar/

Why display the URL bar on a mobile device when you can give users more screen space by hiding it?

Google Chrome for Android does just that after a page has loaded, concealing information about the URL and expanding the screen space available to display content from the web page.

The feature is handy for users, but developer James Fisher is drawing attention to the possibility that phishing attackers can abuse it to catch users off guard when browsing.


As he demonstrates in a blogpost hosted on his website, the content can be made to convincingly look as if it were hosted on the website of UK banking giant HSBC, with the green HTTPS 'secure' padlock and all.

A phishing attacker would be relying on the chance that users aren't paying attention after clicking a link in a message and scroll down, at which point Chrome on Android hides the URL bar and gives that space to the web page. Chrome on iOS, which is based on Apple's WebKit, continues to display the original URL bar.

But on Android that's where a phishing attacker could test potential victims' alertness with a fake URL bar that's built into the phishing web page.

 

[Gandalf_The_Grey]

Can't find an exact source, but it seems that's it's fixed already by Google:

 

[upnorth]

Still an issue with Chrome on my phone, but it also haven't got the latest Google security update. Opera no issue. :emoji_v: