Skip to main content

Mobile version of Chrome vulnerable to phishing attacks

(Image credit: Image Credit: Earl Jeffson / Flickr)

Researchers have detected a vulnerability in mobile version of Google's Chrome browser which can allow hackers to trick unsuspecting victims into thinking they are vising a legitimate website instead of a fake one.

As you may imagine, if a person believes they are visiting their bank's website, they may end up sharing vital information such as bank account number, passwords and what else not.

The vulnerability was disclosed by security researcher James Fisher (opens in new tab). Even though this is considered 'proof of concept', and we still don't have any reports of the vulnerability actually being used, that doesn't mean it hasn't, or can't happen.

As a matter of fact, this vulnerability may come from Chrome, but Fisher believes a multitude of browsers may be succeptible.

So how does the vulnerability work?

Newer versions of Chrome for mobile devices hide the address bar once the user scrolls through the page. This is an intended feature, whose goal is to give the website as much display real estate as possible. However, there's a way to trick the browser so that once it hides the address bar, it never shows it again. Instead, hackers can show their own address bar. Consequently, you may think you're visiting HSBC, but instead, you're on a hacker's website, just about to type in your password and try to make a payment.

Fisher believes there's no easy fix for this, and that Chrome's developers should not trade a little extra real estate for security.

Image Credit: Earl Jeffson / Flickr

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.