Google's Shiny New Password Alert Compromised in Under a Day

Just hours after Google released Password Alert to protect against phishing, a “drop-dead simple” proof-of-concept exploit hit the street.

Password Alert is an open-source Chrome extension for Google and Google Apps for Work Accounts. It shows a warning if a user types her Google password into a site that isn’t a Google sign-in page. Chrome will remember a “scrambled” version of the Google Account password. So if a user types a password into a site that isn't a Google sign-in page, an alert pops up warning of being at-risk of being phished.

The exploit suppresses the alert by simply cancelling it out so quickly that a user doesn’t register it. The script runs every 5 milliseconds, searches the page for instances of Google’s warning screen and then removes it as soon as it appears. Google promptly updated the code to prevent the exploit, to version 1.4, but the gaping hole in the design of the feature worries some.

"It beggars belief," Paul Moore, an information security consultant at UK-based Urity Group, told Ars Technica. "The suggestion that it offers any real level of protection is laughable." He added that the R&D effort would have been better spent on developing a password manager.

The method of getting around the pop-up is familiar, and arguably should have occurred to Google coders.

“I saw the attack—a malicious site that has control of the Javascript can reach in to the functionality of Password Alert and simply delete the warning,” said Rapid7’s security engineering manager, Tod Beardsley, in an email. “This is similar to the way some sites aggressively detect and evade the presence of ad-blocking software.”

However, considering that according to Google, effective phishing attacks can succeed 45% of the time, and that nearly 2% of messages to Gmail are designed to trick people into giving up their passwords, any deterrent is helpful, even an imperfect one.

“Just because it's possible to evade Password Alert doesn't mean that the strategy of equipping the browser with better malicious site detection is a fool's errand,” Beardsley said. “It's a race, just like any other attack and defense dance. Viruses lead to anti-virus programs lead to anti-virus evasions lead to anti-virus evasion detection, and on and on. The same story repeats in forensics and anti-forensics, in password management and brute force strategies, and pretty much any other non-trivial area of security.” 

What’s Hot on Infosecurity Magazine?