This article is more than 1 year old

Google Password Alert could be foiled with just 7 lines of JavaScript

Credit where it's due, they plugged the vuln pretty quickly

Google has been obliged to revise its Password Alert anti-phishing protection just hours after releasing it when security researchers showed how the technology was easily circumvented.

Security consultant Paul Moore (@Paul_Reviews) has published a proof-of-concept JavaScript exploit that skirted the defensive technology with just seven lines of code.

The Password Alert for Chrome browser plug-in is meant to trigger alerts for users in cases when they are induced to hand over their password to counterfeit sites impersonating Google (other online services aren't covered).

The extension only kicks into action after users have signed into their Google account; thereafter it puts up warnings to reset Gmail passwords in cases where users are taken in by a phish.

The problem is these alerts can be shut down with minimum effort and a few lines of JavaScript planted on counterfeit sites. More specifically, Moore's script looks for a warning banner every five milliseconds before removing anything it detects. Other approaches aimed at preventing humans actually seeing a warning – effectively killing off alerts kill as soon as they are generated – might also have been possible.

Moore posted a short video on YouTube to highlight his concerns.

Bypassing Google's Password Alert "Protection"

Chris Boyd, a malware intelligence analyst at security software firm Malwarebytes, backed up worries about how easily Password Alert might be bypassed in a blog post that explains the issue in greater depth here.

To its credit, Google responded promptly to the issue, updating its technology hours after El Reg flagged up the problem and requested a comment.

"[The] issue is now fixed and the current version of Password Alert includes the patch," a spokesman told El Reg by email on Friday morning.

Google's anti-phishing tech was only released on Wednesday so early teething troubles are arguably to be expected. Relying on Password Alert is, in any case, maybe not enough and users should consider turning on two-step authentication and/or using a full fat password manager such as LastPass to protect them from phishing attacks.

Google researchers and a team from University of California, San Diego recently warned (PDF) that the most effective phishing attacks can succeed 45 per cent of the time. ®

More about

TIP US OFF

Send us news


Other stories you might like