The inception bar: a new phishing method-( captive site)

Talk about internet security, computer security, personal security, your social security number...
Post Reply
Senior Member
Posts: 116
Joined: Tue Nov 26, 2013 9:44 pm

The inception bar: a new phishing method-( captive site)

Post by morganism » Sun Apr 28, 2019 8:42 pm

this is a browser capture method, and may trap you at the site if you dont have NoScrpipt active.

"I don’t want to keep you any longer. If you’re still stuck here, one way to get out is to go to the Hacker News discussion and upvote this article."

"In Chrome for mobile, when the user scrolls down, the browser hides the URL bar, and hands the URL bar’s screen space to the web page. Because the user associates this screen space with “trustworthy browser UI”, a phishing site can then use it to pose as a different site, by displaying its own fake URL bar - the inception bar!

This is bad, but it gets worse. Normally, when the user scrolls up, Chrome will re-display the true URL bar. But we can trick Chrome so that it never re-displays the true URL bar! Once Chrome hides the URL bar, we move the entire page content into a “scroll jail” - that is, a new element with overflow:scroll. Then the user thinks they’re scrolling up in the page, but in fact they’re only scrolling up in the scroll jail! Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser. Here’s a video of the hack in use:" ... ng-method/
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0

Post Reply