Researcher James Fisher has found a new Chrome mobile exploit that takes advantage of how the app displays the address bar.

In Chrome for mobile, when the user scrolls down, the browser hides the URL bar, and hands the URL bar’s screen space to the web page. Because the user associates this screen space with “trustworthy browser UI”, a phishing site can then use it to pose as a different site, by displaying its own fake URL bar – the inception bar!

This is bad, but it gets worse. Normally, when the user scrolls up, Chrome will re-display the true URL bar. But we can trick Chrome so that it never re-displays the true URL bar! Once Chrome hides the URL bar, we move the entire page content into a “scroll jail” – that is, a new element with overflow:scroll. Then the user thinks they’re scrolling up in the page, but in fact they’re only scrolling up in the scroll jail! Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser. Here’s a video of the hack in use: