This story is over 5 years old.


This Chrome Bug Makes It Hard to Tell If You're on the Real Facebook

A researcher spoofed taking advantage of the bug.
Image: YapAhock/Shutterstock

Is the website you're looking at on your screen really the website you wanted to visit?

Thanks to a newly-discovered bug in Google's Chrome browser, the answer to that question might sometimes be "no."

Security researchers have found a bug in Chrome that allows a website to spoof its address, essentially pretending to be a different web page. Mustafa Al-Bassam, a computer science student at King's College London and former member of the Anonymous hacking offshoot LulzSec, created a demo to showcase how the bug can be exploited, making a webpage that pretends to be, but isn't.


The exploit "pops up a new window and uses a trick to cause the browser to display a different URL in the window," Al-Bassam told Motherboard in an email.

Recreating the exploit is "very trivial but clever," he added, and "you can reproduce it in seconds."

Al-Bassam's demo is harmless, but the bug could be exploited in a more malicious way. There is a caveat though that reduces the potential impact and risks: A user can't interact with the spoofed page, meaning he or she can only view it, but can't, for example, input credentials.

That means this exploit can't be used for phishing, creating a fake Facebook login page to harvest user credentials. But, Al-Bassam said, "there are still many things you can do to abuse a user's trust of a website with a spoofed page."

"There are still many things you can do to abuse a user's trust of a website with a spoofed page."

For example, someone could spoof "" and replace it with a legitimate-looking page that "tells people to phone a fake customer service number to provide sensitive information."

The bug was originally discovered by David Leo, who on June 7 reported it to Chromium, the open-source project underlying much of Chrome, and then published it on an information security mailing list.

Given that a user can't interact with the spoofed page, Chromium developers thought this wasn't a big issue.

"This doesn't seem very concerning to me," a developer wrote in response to the post by Leo.

A Google spokesperson told Motherboard that the company is aware of the issue, but didn't clarify whether a patch is in the works.

For Egor Homakov, a security researcher for Sakurity, the fact that a user can't interact with the spoofed page means this is "quite [an ] innocent" bug.

"But [it's] still a bug," he told Motherboard in an email.