If you spend a considerable amount of time on the Web, then you likely already know that phishing is a fact of life. Google knows this too, so in an effort to help people sidestep such dangers, it has been working on a feature called Origin Chip.
However, Web security firm PhishMe says that while Origin Chip is designed to strip out a URL down to its bare essentials to make it easier to determine whether you’re the target of a phishing attempt, it sometimes does the opposite.
“We’ve discovered that if a URL is long enough, Canary will not display any domain or URL at all, instead showing an empty text box with the ghost text Search Google or type URL,” Aaron Higbee and Shyaam Sundhar of PhishMe said. “This creates a golden opportunity for attackers to carry out data-entry phishing attacks.”
Instead of displaying, for instance, Amazon.com or Netflix.com, a flaw in Origin Chip could shroud the entire URL altogether, which makes it impossible for you to determine whether you’re on a legitimate site or not just by looking at the URL in your browser’s address bar. Google has incorporated the feature into Chrome Canary, a version of the tech giant’s web browser that’s geared towards developers.
Higbee and Sundhar suggest that “a potential solution would be to keep the entire URL intact, but put a visual focus on the root domain.” Perhaps color-coding the root domain with hues like green for “safe” and red for “unsafe” could go a long way towards decreasing the likelihood that an average user falls victim to a phishing attempt.
With that in mind, it’ll be interesting to see how Google will tackle this problem in future releases of Chrome.
What do you think? Sound off in the comments below.