A newly revealed website design vulnerability represents the newest potential attack on your online information.
You’re sitting at your desk when you get an email on your phone: Your bank is notifying you of suspicious activity on your debit card. Not wanting to let someone drain your checking account because they stole your card information, you click on the link.
You scroll down to enter your login credentials. Something about the site doesn’t look quite right--but when you scroll back up to see the address bar at the top, you see your bank’s website URL and the green little “lock” icon assuring you you’re safe.
Except you aren’t.
On Saturday, web developer James Fisher demonstrated a new Google Chrome loophole in a blog post: Using a few design tricks, you can fool a user into thinking they’re on a different site, leading to possible phishing scams. By implementing a scroll lock and inserting a false address-bar graphic, you can make it appear to a user that they have navigated to a secure site–when, in fact, the real URL is hidden due to the fact that Chrome hides the bar at the top as you scroll down the page.
Using some relatively simple code, you can prevent the user from navigating up far enough to bring back the actual address bar. As a result, a shady website could easily make you think you’re at your bank’s secure login page, only to capture your login information for later.
This appears to only affect Chrome for Android users, as the iOS version of Chrome continues to show the true URL at the top–making it easier to detect and avoid the scam. Regardless of which mobile device you use, it’s probably a good time to review best practices when it comes to keeping your information safe on the internet.
Generally, all of the standard rules apply. Don’t navigate to sites you don’t trust. Don’t click on links in emails from people you don’t know. For sensitive and personal accounts, use an app when available–every major bank, for example, has a mobile app available. Most of them won’t send you an email asking you to click on a link, specifically to help you avoid scams like this.
Now that this trick been publicly made known, it isn’t hard to imagine that someone will try to take advantage of it. If you do find yourself on a site like this, you can force Chrome to show the real address bar by locking and unlocking your device, allowing you to then enter a new URL.
Whether or not Google will make changes to Chrome for Android to “fix” this particular vulnerability remains to be seen. In the meantime, that doesn’t mean you can’t take responsibility for your own online security.