We have learned to trust our browser’s address bar to know whether we are on a legitimate site or not. It usually shows you if the website is secure or not (https prompt) and the browser usually warns if you end up on an unsafe website.
However, just recently, a developer has found an exploit on Chrome’s mobile app which can make you believe you are on a legitimate site by showing a fake version of Chrome on Android.
James Fisher, a renowned developer, posted an article on his personal blog where he demonstrated how the address bar of Chrome on Android can be compromised using a few web design tricks.
Typically, when you scroll down, the address bar and its buttons are hidden. Fisher discovered that the scrolling page could be ‘jailed’, making the user scroll back up without the Chrome UI displayed. After this, when the user scrolls up, the web design tricks can display an image of the fake address bar with a completely different URL.
The demonstration by fisher shows the real URL, “jamesfisher.com” being swapped with “hbsc.com”.
The biggest concern of this exploit is the fact that the user cannot go back without losing access to the address bar. It is pretty easy to override the browser’s back button as well.
How to Check if The Address Bar is Compromised
At this point, the best way to check if the address bar has been tampered with is to lock your phone and then unlock it again. This will show both the real and the fake address bar together on the screen.
Google has not commented on this issue at the moment, however, 9to5Google says that the locking and unlocking method is not foolproof and might not force the address bar to show the real URL every time.
In any case, try not to use Chrome too much on Android.