Mobile browsers attempt to give as much screen real estate to the web page as possible. This keeps the experience for the user closer to using a desktop browser. The unfortunate part of this approach is that the software designers have hidden two critical pieces of information that need to be available to the user at all times. Namely, the URL of the current site and the SSL status of the page. This attack is very simple, but I haven't seen anyone else talk about it.
1) A user is sent to a link via email, another web page, etc. Since most mobile devices do not have an equivalent to a mouseover event, the user may not check to see if the link text matches the link URL.
2) If the user follows the link to a malicious site, the attacker can use javascript to push the real title bar too far up the page to be accessible to the user. As usual, URL shorteners help this attack quite a bit. Additionally, the attacker can use a long domain name (ex: accounts.google.com.attacker-example.com) and a mobile browser title bar will not be wide enough to display the attacker portion of the URL.
3) The malicious site can provide a fake interactive title bar that provides a false URL, page title, and SSL certificate status.
4) The malicious site can choose to simply steal credentials at this point or initiate a man in the middle attack.
5) The user can be prevented from scrolling up to the real title bar or using the back button to escape. The only way I have seen so far to break away from the malicious site would be to close the page.
6) If the user does not notice the fake title bar, a man in the middle http proxy that strips out SSL connections can capture all information moving in and out of the mobile browser until that tab is closed.
1) When the browser is actually loading data, the real title bar does show up. If the user sees the real title bar, they may notice the attack and escape from it.
2) I've only set up a proof of concept attack using user-scalable=0. If the user can zoom in and out on a web page, a fake title bar would scale with the page and look much more out of place. I think that javascript could probably scale the fake url bar back to the top after a zoom action completes.
3) There are minor behavioral differences in an attacked browser. The setInterval() method I used does not properly rubber band scroll off the top of the screen.
4) Stealing credentials is more likely than a full man in the middle attack. With the MITM scenario the real title bar shows up every time the browser loads new data, allowing the user to break out if they notice.
5) The fake title bar will not behave properly when changing between portrait and landscape mode.
I currently have a working iPhone and Android proof of concept. The core of the attack can be summed up in a few lines of javascript:
window.scroll(0, 1000);
function scroller()
{
if (window.pageYOffset < 2000)
{
window.scrollTo(0, 2000);
}
}
var testScroll=self.setInterval("scroller()",100);
You can check out my iPhone proof of concept here:
You can check out my Android proof of concept here:
(Sorry about the poor quality of the image. I don't own an android device, so I had to find a browser screenshot online.)