Chrome ‘Inception Bar’ Phishing Attack Lets Hackers Trick Users With Fake URL Bar. Here’s How to Avoid It

Malicious parties can overlay a fake URL image or even create an interactive URL bar.

Advertisement
By Nadeem Sarwar | Updated: 30 April 2019 14:06 IST
Highlights
  • The ‘inception bar’ hack works only on Chrome for mobile
  • It exploits the fact that Chrome hides the URL bar while scrolling
  • It is very hard for regular users to identify if they are being tricked

The inception bar even shows the padlock icon for security to remove any suspicions

Google recently came up with a new security feature that warned users against lookalike URLs, helping them to distinguish between genuine and fake Web addresses. But it appears that a more grave issue has raised its head, a new type of phishing attack that has been proven to work on Chrome for mobile. Dubbed the ‘inception bar', the technique allows hackers to mask the real URL on Chrome for mobile and show a fake URL instead, complete with a padlock icon to deceive users into believing that the page they are scrolling is legit and secure. What's worse is that the fake URL can also be made to appear as a dynamic bar with interactive content.

Documented by developer James Fisher, the hack allows malicious parties to take advantage of the fact that Chrome for mobiles hides the URL bar when users scroll down to clear screen space for displaying more content. Malicious webmasters can take advantage of this fact to trick users into visiting a malicious webpage by hiding the real URL bar with a doctored URL, complete with the padlock icon to further remove any doubt. This fake URL bar is dubbed the ‘inception bar'.

Advertisement

The fake website can then prompt users to submit data such as log-in credentials. Chrome for mobile shows the URL of a webpage when users scroll back to the top, but hackers can even trick the browser into hiding the real URL bar altogether. Moreover, the malicious parties can lock users in what is called a ‘scroll jail', a technique that deceives users into believing that they are scrolling a webpage by even mimicking a fake page refresh response.

While hackers can use a static image of a URL bar to mask the real URL, they can even create an interactive URL bar to make the trick look more believable. “Is this a serious security flaw? Well, even I, as the creator of the inception bar, found myself accidentally using it! So I can imagine this technique fooling users who are less aware of it, and who are less technically literate”, Fisher wrote.

He adds that the only chance to identify the trick and verify the real URL is during the page load process, and after that, it is virtually impossible to discern. We tried out the phishing attack proof-of-concept URL on both Chrome for Android and iOS, and found it to work. We've reached out to Google for a comment on the new phishing attack, and will update this space when we hear back.

So far, there have been no reports of malicious parties exploiting the hack to deal damage. But there are a few measures one can take to protect themselves from the “inception bar' hack:

  • While browsing a webpage on Chrome for mobile, lock the screen and then unlock it. Doing so will automatically show the real URL bar that was hidden while scrolling through a webpage. In case the inception bar trickery is at work, users will see two URL bars simultaneously – the real one at the top and the doctored one below it.  
  • Inception bars often display an incorrect number of tabs, so if you keep a check on the number of webpages you have opened in different tabs, the anomaly can be spotted.
  • Chrome's dark mode renders all UI elements black. So, if a hacker has superimposed a fake URL bar, it will appear white or in a different colour. This can also be tested by switching back to the normal mode in order to identify a fake URL bar if the image was created against a dark background. You can also enable the Reader mode or change background themes to spot any suspicious UI element.
 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Chrome, Inception Bar
Advertisement

Related Stories

Popular Mobile Brands
  1. Best Gaming Laptops Under Rs. 80,000 in India
  2. iPhone 18 May Receive RAM Boost to Handle Apple Intelligence Better
  3. Amazon Prime Day Laptop Deals: Best Discounts on HP, Asus, Lenovo and More
  4. Everything We Know About the Nothing Phone 4b
  1. Xiaomi 18 Pro Max Camera, Display, Battery Details Tipped; May Get 8,500mAh Battery, 200-Megapixel Cameras
  2. iPhone 18, iPhone 18e Tipped to Get 9GB RAM Upgrade for Apple Intelligence; Pro Models May Stick With 12GB
  3. Amazon Prime Day 2026 Laptop Deals: Best Discounts on HP, Asus, Lenovo, Dell, Acer Models
  4. Best Camera Phones Under Rs. 30,000 for Content Creators in India: Motorola Edge 70 Fusion, Galaxy F56, More
  5. Boat Stone 900 Launched in India With Up to 80W Sound Output, Up to 15 Hours Audio Playback: Price, Features
  6. Cyberpunk 2077 Has Sold 40 Million Copies, CD Projekt Red Confirms
  7. Nothing Phone 1 Receives Final Software Update With Latest Security Patches, Bug Fixes and Improvements
  8. Nokia 235 4G (2026), 215 4G (2026) Launched Alongside Nokia 210 4G, and 200 4G With AI Assistant Button
  9. Samsung Galaxy S27 Ultra Battery Details Leaked; Could Top iPhone 18 Pro Max's Battery Capacity
  10. OnePlus Ace 7 Series Tipped to Feature 185Hz Display, 9,000mAh Battery
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.