Chrome 86 experiment: Google attempts to prevent scams by hiding full URLs

by Ugnius Kiguolis - - 2020-08-14

“A URL experiment” is meant to stop users to fall for online phishing attempts

Chrome 86 experiment URL shortening feature Google to release an URL shortening feature to tackle phishing and social engineering attacks

Google announced that it will roll out a new feature with its Chrome 86 release, and it will be tested on some randomly selected users. In a large scale experiment, users will be subjected to an alternative way they see the website's URL – they will only be shown the domain name instead.

The main goal of the test is to see whether users will be deceived by phishing sites, scams, and social engineering attacks if only the domain name is shown while they are visiting a malicious website:^[1]

In Chrome 86, we’re likewise going to experiment with how URLs are shown in the address bar on desktop platforms (animation below). Our goal is to understand — through real-world usage — whether showing URLs this way helps users realize they’re visiting a malicious website, and protects them from phishing and social engineering attacks.

In addition to the URL experiment that is supposed to help prevent online fraud, Chrome 86 will include additional security features, including heavy ad intervention (termination of ads that use inadequately large system resources and bandwidth) and JavaScript timing throttling (limitation of JavaScript timer wakeups to preserve device battery life).^[2] Stable release of Chrome 86 is due to release at the end of October 2020.^[3]

The participants will be able to opt out of URL shortening practice

The URL shortening feature works in a very simple manner. For example, somebody visiting a Wikipedia article would see the following address in the omnibar: https://en.wikipedia.org/wiki/URL (for example).

Those to be selected to participate in the Chrome 86 URL shortening experiment, however, will be presented with a different address, which will strip everything behind the abbreviation .org. To see the full URL, users can hover their mouse over at any time and view the remaining part – “/wiki/URL.”

Alternatively, those who do not wish for such functionality to be enabled on their Chrome browsers, they can right-click on the omnibar and select the “Always show full URLs” from the context menu. This selection will prevent participants from the URL shortening on all the visited websites from that time on.

Those who are willing to try the feature themselves can already do so. All they need to do is install the Chrome Canary or Dev channel, open chrome://flags in Chrome 86 and enable the following flags:

#omnibox-ui-reveal-steady-state-url-path-query-and-ref-on-hover
#omnibox-ui-sometimes-elide-to-registrable-domain
Optionally, #omnibox-ui-hide-steady-state-url-path-query-and-ref-on-interaction to show the full URL on page load until you interact with the page.

Social engineering and URL deception: how users fall for scams

Online fraud is very common all over the web, and each of the browser developers is trying to tackle the scam problem in various ways. For example, with the Mozilla Firefox 72 release in January, users no longer see the annoying notification prompts^[4] that has been so highly abused by various malicious websites – these later result in intrusive popups on desktop, and many are not aware that the activity persists due to website permissions enabled earlier.

Thousands of websites abuse the structure of URLs by including names of legitimate companies such as Apple, Microsoft, or Google. According to a study conducted by Google earlier, almost 60% of users were deceived by a misleading URL which included one of the familiar brand names or the “Secure Site” notification:^[5]

While users are confident in their ability to learn website identity from URLs, we show they are vulnerable to various identity obfuscation techniques—successfully identifying an average of 58% of URLs in our sample set. Incorrect user heuristics and strategies include scanning for familiar names, trusting all https links, and trusting the word “secure”.

This shows that visual representations of identifies users are accustomed to trusting can easily mislead many, resulting in data theft, financial losses, and other ramifications. With the help of the URL experiment, Google hopes to reduce the number of social engineering attacks from being successful on a larger scale.

About the author

Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

^ Helping people spot the spoofs: a URL experiment. Google. Chromium Blog..
^ Pranob Mehrotra. Google Chrome tests throttling background JavaScript timers to improve battery life. XDA Developers. Mobile software development community.
^ James Vincent. Google is testing domain-only URLs in Chrome to help foil scams and phishing. The Verge. Technology news website.
^ Gabriel E. Hall. Firefox will block notification pop-up prompts from next year. 2-spyware. Cybersecurity news and malware insights.
^ Joshua Reynolds Deepak Kumar Zane Ma Rohan Subramanian Meishan Wu Martin Shelton Joshua Mason Emily Margarete Stark Michael Bailey. Measuring Identity Confusion with Uniform Resource Locators. Google Research. Publication details.