Developer James Fisher has discovered an exploit in Google Chrome for Android that can be used for phishing attacks.

The exploit, dubbed “inception bar” by Fisher, takes advantage of the fact that the browser hides the address bar when a users scrolls down a page – when that happens the exploit displays a fake address bar, making the phishing site look like a legitimate one.

When the user scrolls up again, the exploit can force Chrome into keeping the real address bar hidden so the user will not know any better.

This attack can be used to trick users into thinking that they are on, say, a legitimate banking website so they will enter their username and password.

The method Fisher demonstrated uses a screenshot of an address bar of a bank – it looks convincing but if a user tries interacting with it the person would discover that it’s just an image.

While this exploit also works on Apple devices, it won’t fool anyone as the iOS version of Chrome doesn’t hide the address bar when a user scrolls down so they will see both the fake and real address bars.