Less than 24 hours after Google unveiled Password Alert, Security researcher devises a bypass

A simple script exploit can take down Google’s latest anti-phishing extension, Password Alert

Google had launched its latest anti-phishing extension called Password Alert on Wednesdayย  to protect Chrome users from phishing attacks on Google products. ย However within 24 hours of releasing the new extension, a security researcher has devised a simple script exploit to bypass it.

Paul Moore, a information security consultant at UK based Urity Group has written a simple code exploit for Password Alert extension.

Moore pooh poohed the thought of Google’s extension providing top level security to Google users, “It beggars belief, the suggestion that it offers any real level of protection is laughable.”

Proof of Concept

Moore’s bypass requires the following few lines of code:

<!– BYPASS GOOGLE’S PASSWORD ALERT “PROTECTION” –> <script type=”text/javascript”> setInterval(function() { if(document.getElementById(“warning_banner”)) { document.getElementById(“warning_banner”).remove(); } }, 5); <script>

Lines 2 & 8 are the start & end of a Javascript block.
Lines 3 & 7 (setinterval) tells the UA to carry out whatโ€™s inside the function every x milliseconds (5 in this case).
Line 4 checks to see if the warning_banner (the window which the Password Alert plugin creates when it finds a phishing site) exists. This line isnโ€™t strictly necessary, but to hide any errors which may alert the user, itโ€™s included.
Line 5 searches the DOM for an element with an ID of โ€œwarning_bannerโ€ and removes it.

Basically, the script runs every 5 milliseconds, searches the page for instances of Googleโ€™s warning screen and simply removes it. Thatโ€™s it. Technically, the warning window still appearsโ€ฆ but it disappears so quickly, the user wouldnโ€™t know.

The PoC video is given below :

Google has acted very fast on the exploit written by Moore and updated Password Alert to version 1.4 to prevent Moore’s bypass code from working. Google engineer Drew Hintz tweeted about the fix :

To update your Password Alert, go to chrome://extensions/, enable developer mode, and click update extensions now.

Read More

Suggested Post