Google Chrome Status Bar Exploit Using Javascript

So today I wrote a short proof of concept that takes advantage of Chrome’s status bar user interface design and allows a malicious website to potentially trick a user into navigating a link to an untrusted page, and it uses nothing more than Javascript and CSS3. You can watch the short narrated video example of the exploit here:

The problem is that because the UI for the status bar is located within the web frame, any HTML or CSS can be used to emulate the UI control and trick a user. Although the usage is limited to some relatively low-risk scenarios, I imagine it could be pretty effective as a social-engineering exploit for the common user, if done properly.

Oh, and you can also run the demo code yourself (just make sure you have Chrome). There’s also a “taste test” version, where you can test your own ability to spot the difference.