1. 43

  2. 22

    Nice demonstration of the attack! However, it’s not a new phishing method; it has a name, and it’s called a picture in picture attack.

    1. 7

      Ironically the scroll hijacking prevents mobile safari from hiding the url, it’s always full size. But there will be ways around that.

      1. 3

        Doesn’t work in Firefox for Android :-)

        1. 3

          Safari on iOS 12.2, iPhone X appears to be totally immune to this specific attack: in the “minimized top bar” mode, the browser still shows the domain and an HTTPS indicator.

          1. 2

            This man is a monster.

            1. 2

              Doesn’t work reliably with Chrome 74.0.3729.112 on Android 8.0.0. Sometimes, both original and forged address bar is visible at the same time. I found that easiest way to replicate this is to quickly scroll up and down after the page is loaded, but it may take some practice.

              A nice discovery nonetheless! I could imagine falling for this very easily.