All it took was a seven-lined code to dupe Google’s anti-phishing Chrome extension. And it didn’t take that long – this anti-phishing Password Alert system was found flawed within 24 hours of its debut. Paul Moore, a security researcher with British Unity Group, wrote that JavaScript code which bypassed the anti-phishing protection it was supposed to provide.
Paul’s proof of concept
The anti-phishing Chrome extension called Password Alert was introduced on Wednesday to protect users from phishing sites and hackers. On typing the password on the extension, it will alert users if the password has been used on any non-Gmail page and it should be changed by scanning all HTML pages which might fake a Gmail login page. Paul uploaded a video on YouTube showing how his code could mislead Google’s Password Alert.
In this proof of exploit video, he showed that how Password Alert will not work. After applying his seven lines of JavaScript code, the Password Alert started frequently appearing and disappearing on the page and failed users to make any use of it. He said that “anyone looking to launch a phishing attack against a Google account simply needs to add those seven lines to render the Password Alert protection useless.”
Other security flaws detected
Though Google has not come up with any response, but it released a patch version 1.4 to fix the Password Alert problem, as per Google’s engineer Drew Hintz. But that didn’t solve the problem entirely, in a matter of fact. Security experts have pointed out other security flaws related to the technology. They have detected that any malicious page can falsely produce keystrokes just to test if the Password Alert banner appears in their attempt to dupe the anti-phishing tool. Furthermore, after Google released its new patched version of the Google Password Alert, Paul Moore has shown another JavaScript exploit code which can bypass the latest version. He tweeted –
“#Google #PasswordAlert version 1.4 bypassed, again!”
Hence, this Password Alert is found to be easily bypassed by hackers on their phishing sites. Users should be careful in using this Chrome extension.
