twitter facebook rss

Researchers play Whack-a-Mole with Google Password Alert

Posted by on May 3, 2015.

Phishing is a huge problem with no indication of any solution (see, for example, Phishing: detection and prevention). Last week Google attempted to alleviate the issue with the release of a Chrome extension: Password Alert.

If you end up on a phishing page that asks you to enter your Google password, the extension pops up a warning:


It doesn’t necessarily stop the phishing, but alerts you so that you can potentially recover (by resetting your password) before too much damage is done.

But within 24 hours researcher Paul Moore demonstrated an exploit to bypass the alert. It took just 7 lines of JavaScript to suppress Google’s warning.

In very short order, Google updated the plugin to a new version. It took them just hours. But again, within hours, Paul Moore developed another exploit for the new version, this time using just 3 lines of code.

This is where I lost track. The latest version is 1.6. However, while Paul Moore was developing his exploits, security firm Securify was working on its own exploits. Latest from The Hacker News says this:

After Google released the updated version 1.6 of Password Alert that fixed the second exploit rolled out by Paul Moore, security researchers from Securify firm discovered a way to again bypass Google’s Password Alert feature in the latest version.

All of this has happened in just the last three or four days.

It’s pure Whack-a-Mole (as, in fact, is everything in security). So what should we do? In this case it’s quite simple – do not install this plug-in. More of the mainstream IT press have announced the plug-in than have warned of the exploits. The likelihood is that many of the 67,000 odd existing downloaders will be totally unaware of the problems. They are, in fact, more vulnerable with this security plug-in than they would be without it. They will believe themselves to be more secure than they are, and will likely be less aware of any phishing. False security is often worse than no security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Kevin Townsend's opinions, News, News_vulnerabilities | Tags: , ,