Google recently launched Password Alert, a Chrome extension with the purpose of detecting when a site was trying to phish your Google password by mimicking Google’s sign-in box. Security expert Paul Moore was able to bypass the password check by adding seven lines of JavaScript code to his proof of concept exploit page. The exploit worked by checking for Google’s password detection alert every five milliseconds and closing it quickly making it undetectable by the user.
Google quickly patched the exploit and updated the extension to version 1.4.
@Paul_Reviews It’s now fixed in 1.4. To update quickly, go to chrome://extensions/ , enable developer mode, click update extensions now.
— Drew Hintz (@DrewHintz) May 1, 2015
Unfortunately, Moore is reporting that he’s already been able to exploit version 1.4 as well, and apologized to Google’s Drew Hintz with a cheeky “SORRY DREW!” comment in his exploit code.
#Google #PasswordAlert version 1.4 bypassed, again! cc @dangoodin001 @jleyden @gcluley @troyhunt @EduardKovacs pic.twitter.com/JrvrlFBYWN — Paul Moore (@Paul_Reviews) May 1, 2015
Moore isn’t the only one trying to find security holes in the Password Alert extension as another cryptography expert, Steve Thomas, has been attempting to code in an attack that would grab the length of the user password as they enter it into a website. Fortunately he hasn’t gotten it working yet, but this only goes to show that – as with pretty much any security feature – there are those out there continually trying to find a way around it.
Password Alert is a great extension in concept, but it has to work in order to gain the trust of those who use it. Are you more or less inclined to use the Chrome extension after news of these exploits? Let us know in the comments below, or on Google+, Twitter, or Facebook!
[button link=”http://www.forbes.com/sites/thomasbrewster/2015/05/01/google-embarassment-over-password-alert-hack/” icon=”fa-external-link” side=”left” target=”blank” color=”285b5e” textcolor=”ffffff”]Source: Forbes[/button]Last Updated on November 27, 2018.
Comments are closed.