Table Of Contents
A simple script exploit can take down Google’s latest anti-phishing extension, Password Alert
Google had launched its latest anti-phishing extension called Password Alert on Wednesdayย to protect Chrome users from phishing attacks on Google products. ย However within 24 hours of releasing the new extension, a security researcher has devised a simple script exploit to bypass it.
Paul Moore, a information security consultant at UK based Urity Group has written a simple code exploit for Password Alert extension.
Moore pooh poohed the thought of Google’s extension providing top level security to Google users, “It beggars belief, the suggestion that it offers any real level of protection is laughable.”
Proof of Concept
Moore’s bypass requires the following few lines of code:
<!– BYPASS GOOGLE’S PASSWORD ALERT “PROTECTION” –> <script type=”text/javascript”> setInterval(function() { if(document.getElementById(“warning_banner”)) { document.getElementById(“warning_banner”).remove(); } }, 5); <script>
Lines 2 & 8 are the start & end of a Javascript block.
Lines 3 & 7 (setinterval) tells the UA to carry out whatโs inside the function every x milliseconds (5 in this case).
Line 4 checks to see if the warning_banner (the window which the Password Alert plugin creates when it finds a phishing site) exists. This line isnโt strictly necessary, but to hide any errors which may alert the user, itโs included.
Line 5 searches the DOM for an element with an ID of โwarning_bannerโ and removes it.Basically, the script runs every 5 milliseconds, searches the page for instances of Googleโs warning screen and simply removes it. Thatโs it. Technically, the warning window still appearsโฆ but it disappears so quickly, the user wouldnโt know.
The PoC video is given below :
Google has acted very fast on the exploit written by Moore and updated Password Alert to version 1.4 to prevent Moore’s bypass code from working. Google engineer Drew Hintz tweeted about the fix :
@dangoodin001 It's now fixed in 1.4. To update quickly, go to chrome://extensions/ , enable developer mode, click update extensions now.
— Drew Hintz (@DrewHintz) May 1, 2015
To update your Password Alert, go to chrome://extensions/, enable developer mode, and click update extensions now.