How to Detect a Fake Address Bar in Chrome on Android
Fake login pages are a common phishing technique for user credentials. If the website looks normal, your muscle memory will kick in easily and you can start typing your username and password without checking if the URL is correct (or the website is correct). The problem gets complicated – this is a new problem recently reported by developer Jim Fisher that shows how easy it is for a website to use a fake address bar to make you think you are where you are not.
You can usually take a look at the padlock icon to the left of the address bar to determine if the website is genuine or not. Don’t blindly trust this little graphic, however, as phishers have devised a way for mobile web pages to display fake URL strings in Chrome, which include a padlock icon and a substitute URL. This so-called “start line” replaces the real address bar in your viewport. If you are not paying much attention, you can assume that your browser is working as intended.
This whole trick is possible because the UI on mobile Chrome often disappears when scrolling down the page, and website developers can override and prevent the UI from reappearing, including the URL bar. As Fisher describes:
This is bad, but it gets worse. Typically, when the user scrolls up the page, Chrome re-renders the real URL string. But we can trick Chrome into never displaying the true URL string again! As soon as Chrome hides the URL bar, we move the entire content of the page into a “scroll jail”, which is a new element with overflow: scroll. Then the user thinks they are scrolling the page up, but in reality they only scroll up in the scroll jail! As in the Inception dream, the user believes they are in their own browser, but they are actually in the browser in their browser.
But it gets worse! Even when using the aforementioned “scrolling jail”, the user should be able to scroll to the top of the jail, after which Chrome will re-render the url bar. But we can also disable this behavior! We are inserting a very tall padding element at the top of the scroll box. Then, if the user tries to scroll the padding, we scroll back to the beginning of the content! It looks like a page refresh.
Google is working on fixing this tricky coding , but you still have a few tricks to spot those annoying headlines:
- You can force the Chrome app to display the UI even if the website usually blocks it. All you have to do is lock your phone screen while the Chrome app is open and then unlock it. This resets the Chrome app window to display the user interface. If the URL is bogus, you will see two URL bars, one at the top for the true URL and one at the bottom for the start line.
- If you are viewing pages with multiple tabs open, keep a close eye on the number displayed on the tab icon. Wrong numbers are often displayed on the start bars here.
- The new dark mode in Chrome Android also makes headband detection easier. When dark mode is enabled , the URL bar and other UI elements will be black, so (fake) white URL bars are easier to spot, or vice versa if you are using the regular Chrome mobile UI theme and the fake URL is black … … This is also true when using Reading View , the simpler UI modes, or alternative themes in Chrome Mobile that change the way the URL string is displayed.