There’s a new hacking method making the rounds and it’s as clever as it is annoying. According to a new report, attackers are using the Kiosk Mode of Chrome to put the browser into full-screen mode, which then refuses to let you do anything else until you input your Google password. At that point, of course, your password is stolen.
A report from OALabs observes this novel attack vector for stealing Google credentials. It’s really a combination of two techniques.
First, a Windows program loads up a dummy Google login page in Chrome and then activates Kiosk Mode. This is a UI feature that shows a page in full screen and won’t let you navigate to other programs — exactly the sort of thing you’d see at a self-service retail kiosk. Even advanced users might have trouble getting around this because it disables some inputs (like F11 to exit full-screen mode).
But the only thing you can do on the dummy page is put in a Google login and password. Once you do, another program grabs said login data and squirrels it away to a remote hacker. In the worst-case scenario, the hacker then changes your password, immediately locking you out of Gmail and any other accounts associated with that information, including third-party services that use Google’s login platform.
It’s a devious little one-two punch for identity thieves. While the tool has been observed going after Chrome specifically, it’s capable of using other browsers with similar implementations of Kiosk Mode to do the same.
Savvy Windows users might be able to circumvent the login prompt — the good ol’ Ctrl + Alt + Delete keyboard shortcut should still get you into the Task Manager where you can shut down the browser, for example. But this combination of tools is so direct and so annoying that even long-time PC users might just input their Google passwords out of reflex.
As always, be careful when you download anything and be mindful of where you’re downloading it from. And if you ever see a full-screen Google login page unexpectedly, the first thing you should do (after escaping it) is run a good virus scan.
Further reading: The best antivirus software for Windows