The nasty cat-and-mouse game between cybercriminals and their guileless targets is getting abominably nasty. Cybercriminals are getting better and better at ducking firewalls and antivirus programs. A legion of hackers are turning to ransomware, planting virus-loaded ads on legitimate sites, while others potentially harness their efforts in exploiting lame bugs in the webiverse. Lame, you say? It’s still worrisome.
Security researchers have found a bug in Google’s Chrome browser which allows a website to masks its address, pretending to be a different site. Mustafa Al-Bassam, a computer science student at King’s College London and former member LulzSec, recently gave a demonstration on how the bug can be exploited, making a webpage that pretends to be Twitter.com or Facebook.com, but isn’t.
Chrome Bug makes Web Spoofing of Twitter and Facebook
The advanced exploit pops up a new window and uses a trick to cause the browser to show a different URL in the window. Transforming the exploit is fundamentally trifling but quite clever and any hacker can reproduce it in seconds. While the demo shown by Al-Bassam was innocuous, it could still be misused in a more malignant way. There is an admonition however that abates the potential impact and risks, for example, a user cannot interact with the spoofed page, i.e. only view it, but unable to input credentials.
The exploit, thus, cannot we put to use for phishing, however, that doesn’t stop cybercriminals from creating a fake Twitter or Facebook login page to gather user credentials. This could just be the threshold of a hundred things one can do to abuse a website using a spoofed page.
For instance, somebody could spook Paypal.com with a legitimate-looking webpage with a fake customer service care number that tells people to provide sensitive information.
The bug was originally reported by David Leo, who reported it in June 2015 to Chromium, and then published it on the information security mailing list. Due to the fact that users cannot interact with the spoofed page, Chromium didn’t see it as much of a threat.
Innocent or not, a bug is a bug.
