Chrome Canary 'Origin Chip' anti-phishing feature fails to fly
Posted by: Jon Ben-Mayor on 05/10/2014 07:59 AM
[
Comments
]
A new Beta feature for Chrome Canary was launched in order to make it easier to decipher whether or not a particular site is malicious. The feature undresses a URL all the way down to the naked core, in theory making it easier to see if you are a target of a phishing scam. However, what it really seems to do is allow scammers a golden opportunity.
Web security firm Phishme indicates that one glaring problem has arisen; when the URL is long enough, Canary will not display any domain or URL at all, instead showing an empty text box with the ghost text “Search Google or type URL.” While Canary is intended to help the user identify a link’s true destination, it will actually make it impossible for even the savviest users to evaluate the authenticity of a URL.
This creates a golden opportunity for attackers to carry out data-entry phishing attacks. A data-entry attack will send an email luring the recipient to a seemingly genuine website asking the recipient to enter user credentials. (Rohyt described this tactic in more detail in a previous blog). Since these attacks do not use malware, the best (and sometimes only) defense against them is a well-trained user who recognizes that the URL is not leading to a legitimate website. Without the ability to evaluate the URL, even the savviest user could fall victim to this type of attack.
Digital Trends gives this example: instead of displaying Amazon.com or Netflix.com, a flaw in Origin Chip could shroud the entire URL altogether, which makes it impossible for you to determine whether you’re on a legitimate site or not just by looking at the URL in your browser’s address bar. Google has incorporated the feature into Chrome Canary, a version of the tech giant’s web browser that’s geared towards developers.
How should Chrome tackle this issue? Merely extending the length of the URLs it will display isn’t a solution, because attackers will just make URLs as long as they need to be to avoid being displayed. A potential solution would be to keep the entire URL intact, but put a visual focus on the root domain. For instance, making the root domain color coded.
It will be interesting to see what Google does to fix this.
Web security firm Phishme indicates that one glaring problem has arisen; when the URL is long enough, Canary will not display any domain or URL at all, instead showing an empty text box with the ghost text “Search Google or type URL.” While Canary is intended to help the user identify a link’s true destination, it will actually make it impossible for even the savviest users to evaluate the authenticity of a URL.This creates a golden opportunity for attackers to carry out data-entry phishing attacks. A data-entry attack will send an email luring the recipient to a seemingly genuine website asking the recipient to enter user credentials. (Rohyt described this tactic in more detail in a previous blog). Since these attacks do not use malware, the best (and sometimes only) defense against them is a well-trained user who recognizes that the URL is not leading to a legitimate website. Without the ability to evaluate the URL, even the savviest user could fall victim to this type of attack.
Digital Trends gives this example: instead of displaying Amazon.com or Netflix.com, a flaw in Origin Chip could shroud the entire URL altogether, which makes it impossible for you to determine whether you’re on a legitimate site or not just by looking at the URL in your browser’s address bar. Google has incorporated the feature into Chrome Canary, a version of the tech giant’s web browser that’s geared towards developers.
How should Chrome tackle this issue? Merely extending the length of the URLs it will display isn’t a solution, because attackers will just make URLs as long as they need to be to avoid being displayed. A potential solution would be to keep the entire URL intact, but put a visual focus on the root domain. For instance, making the root domain color coded.
It will be interesting to see what Google does to fix this.
Comments
