It took just a day for Google’s anti-phishing Chrome extension to fall victim to the very threat its trying to keep away from.

Paul Moore, a data security expert, transferred a video to YouTube on Thursday indicating how Google’s new Password Alert system can be tricked by including only seven lines of code to a site. Password Alert, a free extension for Google’s Chrome Web browser, was revealed Wednesday. The tool is designed to alert users if they’ve landed on a malicious site that is pretending to be Google in order to take private data, a practice also called phishing.

“In short, anybody looking to launch a phishing attack against a Google account just needs to add those seven lines to render the Password Alert security useless,” Moore told Forbes in a meeting on Friday. “It’s a embarrassment really.”

Not long after Moore exploited the extension, Google’s Drew Hintz wrote about his Twitter that the flaw was “fixed” and that users could update the extension to defend themselves from the issue.

Password Alert attempts keep passwords safe by preventing users from inputting their Google password on other sites and stoping them from reusing Google passwords on non-Google sites. Whenever a Google password is input into a site, Password Alert shows a message saying “Your Gmail password was just exposed to a non-Gmail page,” and tells users to change their Gmail password instantly.

The idea behind Password Alert is to prevent phishing attacks. Phishing is a technique employed by a malicious hacker that poses as a legitimate organization or organization to steal sensitive data, for example, passwords, social security numbers or credit card numbers. In many cases, those phishing attacks replicate the designs of an organization’s site or email template.

As seen in his video, Moore made a fake Google login page that, at first blush, seemed to be identical to the search organization’s real page. Then again, the page had JavaScript code built-in that changed how Password Alert worked. The code reduced the warning message’s display to five milliseconds, making it practically impossible to see and ultimately letting users fall victim to phishing attacks.

Moore has punted the ball back to Google. In an update to his Twitter account on Friday, he revealed another JavaScript flaw that exploited the most recent, fixed update. Google has yet to react to that flaw.

Google did not immediately respond to a request for comment.

Source : Cnet


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.