A developer has discovered a vulnerability in the Chrome web browser on the Android operating system, exploiting users' trust in the address bar at the top of the page to make them believe they're visiting a safe location by showing a fake version of the browser's address bar.
The developer, Jim Fisher, published a personal blog post explaining how any Web site could deceive users by showing an address bar, with assurances that the site was safe, instead of the original tape and interface, using some deception in the design.
The vulnerability can be explained by the fact that the Chrome browser hides the title bar if the user wants to scroll down the page, but Fisher finds that the browser can be deceived to show an image that mimics the title bar, but actually displays a fake bar at the top of the page.
Fischer posted an illustration video and how he fooled the browser to see who was browsing the HSBC website, even though he was actually browsing his blog.
The fake title bar remains visible at the top of the page as long as the user browses, and does not disappear until the user reaches the top if scrolling from bottom to top. It does not show the moment the page is opened.
It is noted that there is not yet any clarification from Google about this loophole, and to address it is advised to lock the phone and then reopen it; to force the browser to show the real address bar.