Is the website you're looking at on your screen really the website you wanted to visit?Thanks to a newly-discovered bug in Google's Chrome browser, the answer to that question might sometimes be "no."Security researchers have found a bug in Chrome that allows a website to spoof its address, essentially pretending to be a different web page. Mustafa Al-Bassam, a computer science student at King's College London and former member of the Anonymous hacking offshoot LulzSec, created a demo to showcase how the bug can be exploited, making a webpage that pretends to be Facebook.com, but isn't.
The exploit "pops up a new window and uses a trick to cause the browser to display a different URL in the window," Al-Bassam told Motherboard in an email.Recreating the exploit is "very trivial but clever," he added, and "you can reproduce it in seconds."Al-Bassam's demo is harmless, but the bug could be exploited in a more malicious way. There is a caveat though that reduces the potential impact and risks: A user can't interact with the spoofed page, meaning he or she can only view it, but can't, for example, input credentials.That means this exploit can't be used for phishing, creating a fake Facebook login page to harvest user credentials. But, Al-Bassam said, "there are still many things you can do to abuse a user's trust of a website with a spoofed page."
For example, someone could spoof "https://paypal.com" and replace it with a legitimate-looking page that "tells people to phone a fake customer service number to provide sensitive information."The bug was originally discovered by David Leo, who on June 7 reported it to Chromium, the open-source project underlying much of Chrome, and then published it on an information security mailing list.Given that a user can't interact with the spoofed page, Chromium developers thought this wasn't a big issue."This doesn't seem very concerning to me," a developer wrote in response to the post by Leo.A Google spokesperson told Motherboard that the company is aware of the issue, but didn't clarify whether a patch is in the works.For Egor Homakov, a security researcher for Sakurity, the fact that a user can't interact with the spoofed page means this is "quite [an ] innocent" bug."But [it's] still a bug," he told Motherboard in an email.
"There are still many things you can do to abuse a user's trust of a website with a spoofed page."