Its really embarrassing for the Tech Giant GOOGLE, being trolled within 24 hours of release of its latest tool for users to help prevent Phishing attacks. Password Alert – a Chrome Extension released just 24 hours ago by Google, has been found vulnerable to a simple javascript exploit by a UK-Based information Security Researcher Paul Moore.
Moore proposed a PoC exploit imitating Google Login Page (Users are advised not to put in their account details, unless for any testing purposes), and is a sophisticated malicious Phishing page luring visitors into entering their login credentials. As proposed by Moore, if the Password Alert Extension wasn’t poorly designed, it must have warned users for a Phishing Attack ahead. Instead, the warning is completely suppressed. Moore released a video PoC for the exploit as shown below.
“The suggestion that it offers any real level of protection is laughable”, says Paul Moore. He went on to say Google would do better devoting its resources to supporting the use of password managers, since most of them provide much more effective protections against phishing attacks.
The script required in bypassing the chrome extension is shown below:
<!-- BYPASS GOOGLE'S PASSWORD ALERT EXTENSION "PROTECTION" -->
<script type="text/javascript">
setInterval(function() {
if(document.getElementById("warning_banner")) {
document.getElementById("warning_banner").remove();
}
}, 5);
<script>Technical Details
In an email to a news website Moore wrote,
“Lines 2 & 8 are the start & end of a Javascript block.Lines 3 & 7 (setinterval) tells the UA to carry out what’s inside the function every x milliseconds (5 in this case).
Line 4 checks to see if the warning_banner (the window which the Password Alert plugin creates when it finds a phishing site) exists. This line isn’t strictly necessary, but to hide any errors which may alert the user, it’s included.
Line 5 searches the DOM for an element with an ID of “warning_banner” and removes it.Basically, the script runs every 5 milliseconds, searches the page for instances of Google’s warning screen and simply removes it. That’s it. Technically, the warning window still appears… but it disappears so quickly, the user wouldn’t know.”
Google’s Reaction
Considering their reputation in Intenret Market, Google reponded swiftly to the problem and released a fix for the Password Alert Chrome Extension. Users should update to latest version of the extension to avoid this vulnerability. Google’s Drew Hintz said Password Alert Extension has been updated to version 1.4 to prevent Moore’s bypass from working. To install the new version, go to chrome://extensions/, enable developer mode, and click update extensions now.
