Google’s Password Alert Bypassed, Patched, Bypassed Again


Google recently launched Password Alert, a Chrome extension with the purpose of detecting when a site was trying to phish your Google password by mimicking Google’s sign-in box. Security expert Paul Moore was able to bypass the password check by adding seven lines of JavaScript code to his proof of concept exploit page. The exploit worked by checking for Google’s password detection alert every five milliseconds and closing it quickly making it undetectable by the user.

Google quickly patched the exploit and updated the extension to version 1.4.

Unfortunately, Moore is reporting that he’s already been able to exploit version 1.4 as well, and apologized to Google’s Drew Hintz with a cheeky “SORRY DREW!” comment in his exploit code.

Moore isn’t the only one trying to find security holes in the Password Alert extension as another cryptography expert, Steve Thomas, has been attempting to code in an attack that would grab the length of the user password as they enter it into a website. Fortunately he hasn’t gotten it working yet, but this only goes to show that – as with pretty much any security feature – there are those out there continually trying to find a way around it.

Password Alert is a great extension in concept, but it has to work in order to gain the trust of those who use it. Are you more or less inclined to use the Chrome extension after news of these exploits? Let us know in the comments below, or on Google+, Twitter, or Facebook!

  Source: Forbes
To Top