Mobile Browsers: Why It’s a Huge Vulnerability to Hide the Address Bar on Scroll Down

The address bar of the browser has a very important role. Apart from allowing to enter a URL, it helps with the domain name and the SSL certificate to make sure on which website you are. When a security flaw hits the address bar, it’s considered a critical vulnerability.

Anyone who can spoof a website URL can conduct a very effective phishing attack and steal login credentials or credit card information.

The vulnerability I’m about to talk is not new. There have already been many proof of concept but despite the various warnings it is still present.

Here is an example of behavior on Chrome Android (and many others browsers) used to save a little space on the screen:

We see very well that the address bar is masked by scrolling down and reappears as soon as we scroll up. In fact it reappears in many circumstances: when you have to enter something in a form, when you go to another website… And this is precisely to avoid any URL spoofing. Unfortunately this doesn’t really protect the user.

It’s possible to counteract all the mechanics used to bring back the address bar.

To demonstrate this, I created a proof of concept that consists of an alleged link to Facebook:

If you’re on Chrome Android, you can try directly from your browser: https://bordi.fr/poc/chrome-fab

As you can see, when you click on the Facebook button, because you’re leaving to another website, the address bar appears. Then the url changes accordingly and the address bar theme color too. If we try to scroll up, the refresh icon appears since we are already at the top of the page.

But everything you just see is fake.

This address bar is fake, the refresh icon too, as well as the loading animation! In reality you have never been to another website. I combined elements with CSS and JavaScript to make the illusion.

Of course you’ll tell me that if you enter data in some forms, it would bring up the real address bar. In this case, what prevents attackers to make a false form and display a fake Android keyboard? It’s certainly relatively complex, it requires to adapt the UI to the main phones on the market, but it’s not impossible.

Chrome on Android has more than one billion users, it’s a lot of people likely to be affected by this vulnerability. Although it’s difficult to exploit, it can do many victims.

The only way to prevent this is simply to never hide the URL of a website. This is certainly losing some space but it’s necessary for the safety of users.

I hope you found this interesting. Don’t hesitate to share around you and help people to be more careful.

Follow me on Medium or Twitter (https://twitter.com/eddybordi) if you want to read my next articles (stuff about web marketing, IT security, web development, robotics…).