A simple script exploit can take down Google’s latest anti-phishing extension, Password Alert
Google had launched its latest anti-phishing extension called Password Alert on Wednesday to protect Chrome users from phishing attacks on Google products. However within 24 hours of releasing the new extension, a security researcher has devised a simple script exploit to bypass it.
Paul Moore, a information security consultant at UK based Urity Group has written a simple code exploit for Password Alert extension.
Moore pooh poohed the thought of Google’s extension providing top level security to Google users, “It beggars belief, the suggestion that it offers any real level of protection is laughable.”
Proof of Concept
Moore’s bypass requires the following few lines of code:
Lines 3 & 7 (setinterval) tells the UA to carry out what’s inside the function every x milliseconds (5 in this case).
Line 4 checks to see if the warning_banner (the window which the Password Alert plugin creates when it finds a phishing site) exists. This line isn’t strictly necessary, but to hide any errors which may alert the user, it’s included.
Line 5 searches the DOM for an element with an ID of “warning_banner” and removes it.
Basically, the script runs every 5 milliseconds, searches the page for instances of Google’s warning screen and simply removes it. That’s it. Technically, the warning window still appears… but it disappears so quickly, the user wouldn’t know.
The PoC video is given below :
Google has acted very fast on the exploit written by Moore and updated Password Alert to version 1.4 to prevent Moore’s bypass code from working. Google engineer Drew Hintz tweeted about the fix :
@dangoodin001 It's now fixed in 1.4. To update quickly, go to chrome://extensions/ , enable developer mode, click update extensions now.
— Drew Hintz (@DrewHintz) May 1, 2015
To update your Password Alert, go to chrome://extensions/, enable developer mode, and click update extensions now.