"Ceci n'est pas un UI."

This specific example may be new, but the concept of fooling users with websites containing images of the system's own UI is not new --- for example, all the fake antivirus alert boxes. That had a relatively easy mitigation --- using non-default appearance on your system (e.g. an XP-style "you have a virus!" dialog box image would just look silly if you weren't using XP with the default theme), but it seems the trend toward un-customisability is just going to lead to this being even more easy to exploit.

Of course, mobile browsers hiding important information and being even more un-customisable makes this worse.

Well, even I, as the creator of the inception bar, found myself accidentally using it!

When reading a product's documentation that has screenshots explaining how to do something, I've also accidentally tried to manipulate them instead of the actual dialogs. I'm sure others here have had similar experiences too.

With a little polishing this would be quite the "exploit" - trap the user in your fake browser, actually load pages that are entered into the fake URL bar, replace content only on certain patterns...

The only solution here is a proper line of death [0]. It defeats the purpose of the LoD when it dynamically shrinks from user action.

[0]: https://textslashplain.com/2017/01/14/the-line-of-death/

I happened to have 26 tabs while loading this, and spent a minute trying to figure out how the fake bar "knew" my open tab count

I can't help but think that this was made possible by the complete collapse in common UI standards. 'Apps' have stopped being OS-toolkit apps and moved onto the web, and of course each designer needs to have their own special on-brand widget style. This has leaked onto the few remaining desktop apps: Chrome rejects the standard Mac OS widgets and reimplements everything, from buttons to the print dialog. Spotify does its own thing. And lest we think Apple has much respect for UX, iTunes is a mess. I genuinely can't use it.

The result is that users have been trained not to expect consistent UI paradigms. Every UI is hunt-and-peck. And that paves the way for this kind of exploit.

Using Firefox for android: if I open the page and scroll down, the address bar becomes invisible and the hsbc bar shows up. If I keep scrolling down, I just see hsbc. The moment I scroll up, the original address bar is shown, and even if I keep scrolling down, the bar does not disappear.

Edit: it's happening kind of randomly. 1 time it happens, 3 times it doesn't...

There was a similar thing reported a few months ago relating to a fake Facebook social login popup.

https://myki.com/blog/facebook-login-phishing-campaign/

It adds the browser elements to make it appear like a verified popup.

The only reason it was discovered was due to users complaining that the password manager did not auto-populate the form.

https://news.ycombinator.com/item?id=19188386

This worked brilliantly on my Chime Android, and I'm quite surprised the scroll-jail trick worked too.

I suppose the author just wanted a quick PoC, but with enough work, one could mimic an interactive browser address bar, including the menu that with refresh, bookmark, etc and even the HTTPS padlock with security information. Browser UIs being designed in CSS itself, one could easily copy/paste from the browser itself.

Interesting. iOS Safari seems to force the address bar to stay visible on this page.

Whenever I’m looking at an iPhone screenshot someone posted on social media on my iPhone, I try to navigate using the buttons in the image. There ought to be a long German word for that experience.

Yahoo actually tried to do this in 2015 with an internal initiative called “Silver Search” to try and trick Firefox users into using their own yahoo-powered omnibux. I was fucking livid when I found out about it and complained.

I'm not doubting the concerns raised but the fake failed in many ways for me on my phone with the latest chrome. It didn't appear. Then when it did it appeared below the existing bar.

But I guess you just need it to work often enough.

FYI this isn’t occurring on chrome or safari on iOS. As soon as the fake bar appears the page stops scrolling normally - the scrolling inertia stops so that I can scroll but not “toss” the page, and the real address bar no longer hides. I wonder if this is a deliberate mitigation, or an accident?

I understand why this was a problem in 1995, but honestly, in 2019, with image recognition technology as advanced as it is now – especially due to efforts by Google – why can't browsers detect this? Surely "does this rectangle look vaguely like a URL bar" is an easier problem to solve than "is this a photograph of a cat"?

Sure, image recognition is CPU intensive, but even just checking once every 5 seconds or so would be enough to prevent this sort of attack and pop up a big "you are being phished" warning. And 99.99% of what occupies that UI real estate looks sufficiently unlike a search bar that a low-cost recognizer should be able to rule out phishing for normal sites fairly quickly.

What am I missing? Has this approach been tried and rejected? Is image recognition of fairly static, flat, 2D, geometric shapes actually far more CPU-intensive than I imagine?

"Make sure you’ve done a hard refresh of the page"

An inception bar could include a fake refresh button, no?

Related: https://feross.org/html5-fullscreen-api-attack/

A recent example that I've been seeing more and more is pages taking over some system keyboard shortcuts. I've seen pages taking over Command-F and using their own search interface instead of the browsers. I've found utilities for not messing with copy/paste, but is there a way to block pages with keyboard shortcuts in Chrome?

Everything looks correct on chrome mobile. I don't ever see the HSBC bar, regardless of how I scroll.

I recently helped someone install vlc. I googled VLC download (relying on Google) and then clicked through the clearly labelled download links. I accidentally must have clicked a link twice because two copies started downloading. The more recent one was finished so I literally started opening the executable. The only thing that stopped me was that it was called vlc-streaming or something, and the one next to it was still downloading, slowly. That's because it was a download triggered by vlc's ad partner. It wasn't VLC.

This wasn't some shady part of the Internet. I was livid.

If they had given it the same name, size, and approximate download speed as the file I was downloading, I would have had zero way to determine this. Everyone has accidentally started two downloads when they just wanted one copy.

Unreal that this could happen on an official site. (And that it basically tricked me.)

I didn't see it working on Chrome on my phone (chrome 73.0.3683.90, OnePlus 6)

Edit: does work with a refresh

This sort of works on chrome Android, but the critical overflow:hidden trick does not prevent chrome from restoring the real address bar.

Slightly OT, but it's HTTPS so it must be safe, right ?

It's an example of why the "HTTPS everywhere" push annoys me, it gives false sense of security. Security resources should be better spent.

Also, back on topic, Google should stop handing blindly the wheel to "Designers". Oversimplification instead of properly educating people lead to this crap.

Looks like the "never redisplay the true url bar" trick didn't work for me on my mobile Chrome.

https://imgur.com/a/Pjybovf

This fake bar reminds me of a fake address bar that Google displays in an AMP viewer and efforts it takes to be able to replace URLs in an address bar instead of just letting the user visit the target site.

When using firefox focus on android, the whole image is blocked from loading

I like how 10 years back or today the answer to such pishing issues (then specifically tragetted to IE, now Chrome) is 'use Firefox'.

The usability / security trade-off is difficult.

Another example where Chrome prefers usability over security is autofill, where a user can accidentally share more personal information than he/she wishes:

https://medium.com/@stabbles/why-you-should-disable-autofill...

Using Firefox Focus on Android and the bar doesn't show up at all. Re-enabled Chrome temporarily and the bar does show up, however.

There is previous work on the matter: A fake Firefox XUL browser if I recall correctly (UI readdressing).

This attack is for sure nice and effective!

I figured out something kinda like this but worse. I don't really know how to make it public though because it hits so many different pieces of software that I struggle to see how I could give enough warning to all of them. Thousands of entities, really.

If someone else has dealt with this please reach out I want to make it public in a safe way.

I'll worry about this when I stop getting emails from my banks and credit card companies that look like cheesy phishing emails and ask me to click the link then login.

My point is that none of this stuff matters if major corporations continue to send out terrible emails that basically encourage consumers to engage in risky behavior.

Reading this reminded me of the time in the 80s when I discovered hex editors and changed COMMAND.COM to reverse every DOS command. So to get a directory listing you had to type RID, COPY became YPOC, etc. The error message was !sdrawkcaB. I know I'm no hacker but everyone else thought I was.

Perhaps a solution would be to allow the browser to share a "fingerprint" with specific websites. To make a trusted connection. The website would know if a trusted connection exists for the user and deny all login attempts coming from unauthorized fingerprints.

undefined

Not using Chrome, and not having a padlock in the URL bar, and disabling non-ASCII URLs, fixes many of this problem.

Another possibility would be to display a "collapsed" address bar, so that you can see that it is not the actual bar, but rather is another one.

I tried to exploit the mobile browser hiding the address bar when scrolling to hide the address bar in a web game/app to get more screen real estate on mobile but most browsers make it very hard.

The illusion is almost perfect. However, it breaks when you scroll back to the very top. The real address bar reappears on top amd stays there even when scrolling back down. This is with Chrome 73.

I written in quick basic clone of novell network login screen and dumped passwords to a file. Got dozens of students passwords and did nothing with it... I was 13 years old...

Doesn’t scale well to small mobile devices (eg iPhone SE)

If I scroll up high enough, I get both address bars. Then if I scroll back down both stay in place. The inception bar isn't clickable, ever.

On chrome 73.0.3683.90

Wow, didn't even think it was possible to do this.

Looks like they 'fixed' this in Chrome for mobile. The URL bar no longer disappears on his site (but it does on most other sites).

The scroll jail is easily defeated by grabbing the fake address bar and pulling that down, rather than pulling down the main content area.

By override the scroll behavior, it also makes the page feel very unnatural on an ipad (I think it’s the inertia effect missing).

Scary exploit! Would it also work using Element.scrollIntoView()? In such case it wouldn't even need user interaction.

Totally fooled me, but pulling down on the fake 'inception' bar brings back Chrome's url bar. Neat trick.

I'm surprised that nobody included "clicking on the url bar in order to modify it" as a mitigation.

undefined

Turns out if you lock the phone the actual address bar reappears after you unlock your phone

Yuck. I have a custom UI on mobile so it's out of place to see white. I also just suffered from a bug causing images to half load (no idea why it seems new). In trying to get images to load I got the tab count portion loaded, I then immediately tried changing tabs ... With the fake button I just made show up.

Doesn't seem to work with Firefox on Android but a nifty little trick for sure!

undefined

It works with the desktop version too if you go full page (F11)

I did use chromium to test.

A similar attack could be done with fake password manager UI elements.

I found a fix to this problem, on accident. I use Blokada apk on android (not the Google play store version, the good one, if that makes a difference) and when first visiting the page didn't see what the hell you were talking about, the inception url bar never showed up for me. So, when most things don't load or don't act as they're supposed to that is the first thing I go and do-- disable Blokada and reload. Once I did, then it showed up, (pretty cool little discovery btw, good job)

So tl/dr; Can be fixed by using ad+malware blocking host file, namely this one, https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master... since it's the one I use and was using when I noticed this

Javascript is disabled by default in my mobile browser shrugs

The scroll jail didnt work for my firefox for android latest stable.

Change your system font.

If I see 26 tabs open, I immediately know something is wrong.

Huh naked browser doesn't even show the fake address bar

This scroll jail shit is why I absolutely despise AMP pages.

it was hard to reproduce this behaviour on Firefox mobile, but it did happen twice after multiples of scroll ups and downs.

so the question is, is it a common browser bug?

undefined

I like how this is a trend now, fake popups, fake url bars.

Maybe _unique_ browser designs would help users.

This is why chrome is a terrible choice - it disregards OS UI/UX choices.

Poor Android users .. no blue bubbles and now this!

> when you visit this site on Chrome for mobile, and scroll a little way, the page is able to display itself as hsbc.com:

I would like to test this out, but I'm not willing to install spyware. Can anyone confirm this?

I guess this risk could be mitigated if the browser had recognition code running in the background for if the top of the screen was mimicking the search bar. I'm not fond of the idea that we put restrictions of fullscreen mode where it requires user approval when scrolling down or something of that sort.

Well, people still believe that they will help a prince from Nigeria.

Also I've seem some old ladies believing that a younger soldier from US needs help taking money out of %some country%.

A fake address bar, with a fake "look, I'm safe" mark on it? Yes, it'll do it.

Reading these comments initially got me sad. How many echoes of the article’s theme - ‘look at this flaw and how I exploited it’. At first I thought the author had cast a magical spell to bring out the dark side in us. But really, The initiative in us that is adversarial already exists and is simply suppressed. We go about all day acting ‘civilized’ while the animal in us paces nervously waiting for an opportunity to get out. And in the anonymity of the net, we let the animal out. How many of us would brag about these accomplishments to our children or to our boss at work?

But then I realized how honest every post was. How anonymity also encouraged ‘free’ speech. And remarkably how much data was shared. Before the net, when we couldn’t be anonymous, we couched our meanings in bs and obfuscation. The ‘bs’ meter was a finely tuned process that you had to develop and run in the background to sort the chaff from a person’s words. Now, comments are often accompanied by a github link where I can read and test the code that people brag about. Thank you internet