There’s a new Chrome attack on the horizon, and man, it’s a doozy. Dubbed the “Inception Bar” by the finder, it replicates Chrome’s Omnibox, essentially giving attackers the potential to take control of Chrome completely.
Found by developer James Fisher, the Inception Bar is an incredibly clever phishing attack that leverages the fact that Chrome for Android hides the Omnibox—that’s what the address bar on Chrome is called—as you scroll. Once you scroll down the page a bit, the Omnibox is hidden, and it’s automatically replaced with the spoofed bar. And it looks incredibly convincing—it can even lock the real Omnibox in an overflow container, preventing it from re-appearing once the Inception Bar is in place.
While it doesn’t look like this attack has been found present on the web (yet), Fisher built a working proof of concept on his site, which you can check out at the link. Once you visit the site, scroll down the page a bit, and right after the Omnibox disappears, you’ll see the spoofed Inception Bar—complete with a fake URL—appear in its place. The bar doesn’t work at this point (as it’s just a proof of concept), but it’s not hard to see how with a little bit of additional code it could become a very realistic clone. It’s also worth noting that this is still buggy—closing Chrome and reopening it will display both bars, for example.
Fisher notes in his post that he doesn’t see an easy way to fix this issue, which makes a lot of sense. Since the website itself is generating the faux bar, it will be incredibly hard for the Chome team to find a way to combat the issue.
As for possible ways for users to prevent encountering this issue should it become a legitimate problem, the first one is easy: use a different browser. Any page with the code to generate the Inception Bar will still do so, but it will be hilariously obvious because other browsers don’t use Chrome’s Omnibox. It’s also worth reiterating the fact that this only works on Chrome for Android—Chrome for iOS uses a different interface that prevents this from being any sort of convincing attack. [via Android Police]
In less terrifying news, Apple talks about why it pulled screen times apps from the App Store, Zuck built his wife a nifty “sleep box,” Facebook will be a necropolis in 50 years, Spotify hits 100m subs, and more.
- Apple cracks down on screen time apps: Apple has its own screen time system built into iOS. Recently, it started pulling competing products from the App Store, but the company’s Phil Schiller says it’s not about competition—they were misusing enterprise tools. Interesting. [AppleInsider, 9to5Mac]
- Zuckerberg built his wife a “sleep box”: Zuck said his wife Priscilla has a hard time sleeping—if she wakes in the middle of the night and knows the kids will be awake even in just a few hours, she stays awake. So he built her a box with a subtle light; if the light is off, she knows it’s okay to go back to sleep. If it’s on, she can go ahead and get up. All without looking at a clock, so she doesn’t have the anxiety associated with knowing what time it is. How sweet. [Zuck on Insta]
- Facebook will be a necropolis in 50 years: Researchers have concluded that it will take about 50 years for Facebook’s dead users to outnumber the living ones. It’ll be like Colma, California—where the dead outnumber the living by 1000:1—but online (okay, maybe it won’t be that extreme). [ZDNet]
- Spotify hits a hundy mill: Spotify announced that it now has 100 million paid subscribers. Rollin’ in that dough, y’all. [The Verge]
- TurboTax and H&R Block are hiding free filing from Google Search: Tax filing software wants your money, but it only recently became apparent how badly they really want it—TurboTax and H&R Block were reportedly hiding the free filing tier from Google search results. That means users who were eligible to file for free ended up paying, and that sucks. Shady crap. [ProPublica]
- Apple thought about buying Intel’s smartphone modems business: According to a new report from The Wall Street Journal, Apple was considering gobbling up Intel’s smartphone modem business before the Qualcomm settlement. [WSJ]
- Google has stopped publishing distribution numbers: For years, Google has been sharing Android’s monthly adoption numbers. But for the last six months, it’s been totally mum, and that’s troubling. [XDA Developers]
- Nubia built a fan-cooled 8K gaming phone: Have you ever been so deep into a gaming session on your phone that you needed an 8K display and fan-cooling alongside the built-in liquid cooling? Boy, do we have the phone for you. [Engadget]
- Distracted driving penalty fees have risen 10,000%: Distracted driving has become more of an issue over the last ten years than ever before, and as a result, insurance company penalty fees have jumped nearly 10,000 percent—from $2 to $290. Good. Keep ’em coming until people stop texting and driving. [Digital Trends]
Speaking of distracted driving charges, it’s time to talk about the best story from the weekend: a man spent 13 months and thousands of dollars to prove that a hashbrown is indeed not a phone.
Jason Stiber received a $300 distracted driving ticket for eating a McDonald’s hashbrown while driving. An officer mistook the breakfast food as a smartphone and gave Stiber a ticket. But he fought it in court, which revealed that the officer was on the 15th hour of a 16-hour shift and his judgment may have been subpar. The case was overturned. Absolutely amazing. [The Washington Post]