Inception bar: a new phishing method

Original author: Jim Fisher
  • Transfer
Good day, Habr! On the Internet, I came across an article in English "The inception bar: a new phishing method" by Jim Fisher. It describes an interesting way of phishing, the mechanism of which is to use the screen space of the display string of the URL of the mobile version of Google Chrome. The original article is located on the experimental phishing page: you can go to it yourself and draw your own conclusion about the dangers of the described method. Anyone who is interested, welcome under cut!

Welcome to HSBC, the seventh largest bank in the world. Of course, the page you are currently reading is not located on, but on At the same time, if you visit this page with Chrome for mobile devices and scroll down a bit, the page will most likely display the address bar from
( link to the original page )

When scrolling down in the mobile version of Chrome, the browser hides the line display the URL and transfers its screen space directly to the web page. Since the user identifies this space with a trustworthy UI, a phishing site uses it to impersonate another site by displaying a fake URL - an Inception string.

Further worse. Usually, when you scroll up, Chrome renders the URL again. We can make him not do it! At that moment, when the browser hides the URL line, we move the entire contents of the page to the so-called “scroll camera” (English scroll jail) - a new element that uses the “overflow: scroll” property. Now the user thinks that he is scrolling up the page, although in fact he is scrolling through the “scroll camera”. Like the sleeping heroes of the movie "Inception" (Eng. Inception), the user believes that he is working from his browser, although in fact he is in the browser inside the browser.


Is the described mechanism a serious security problem? In truth, even I, the creator of the Inception string, accidentally fell for this trick ( apparently, in my own experiments - approx. Translator ). In this regard, I can imagine how many users can be deceived in this way, in particular - less technically competent and knowledgeable. The user can check the correct URL only when the page loads. After he flipped it down - the chances of salvation are not so many.

While working on the presented concept, I took a screenshot of the address bar on the HSBC website from Google Chrome and placed it on this page. The page can define your browser and create an Inception string for it. With even more effort, the Inception string can be made interactive. Even if you couldn’t fool the user on this page, you can try again after he enters something like in the Inception line.

How to protect yourself from cheating? If you have doubts about the authenticity of a web page, do not just check the URL bar, but refresh (or even close and reopen) the page you are doubting.

If the Google Chrome browser and others like it have a security problem, then how can I solve it? There is a trade-off between increasing screen space and maintaining a trusted area on the screen, such as keeping a small portion of the screen space above the " death line " instead of transferring the entire space to the web page. Chrome can use this small amount of space to display the fact of hiding the address bar.

Description of a similar attack is an attack based on the Fullscreen API . Also, a custom cursor attack (2016) , which works because Chrome allows a web page to set its cursor, which can be moved outside the browser viewport.

Also popular now: