Google quickly patched the exploit and updated the extension to version 1.4.
@Paul_Reviews It’s now fixed in 1.4. To update quickly, go to chrome://extensions/ , enable developer mode, click update extensions now.
— Drew Hintz (@DrewHintz) May 1, 2015
Unfortunately, Moore is reporting that he’s already been able to exploit version 1.4 as well, and apologized to Google’s Drew Hintz with a cheeky “SORRY DREW!” comment in his exploit code.
Moore isn’t the only one trying to find security holes in the Password Alert extension as another cryptography expert, Steve Thomas, has been attempting to code in an attack that would grab the length of the user password as they enter it into a website. Fortunately he hasn’t gotten it working yet, but this only goes to show that – as with pretty much any security feature – there are those out there continually trying to find a way around it.
Password Alert is a great extension in concept, but it has to work in order to gain the trust of those who use it. Are you more or less inclined to use the Chrome extension after news of these exploits? Let us know in the comments below, or on Google+, Twitter, or Facebook!Source: Forbes