It took just a day for Google’s anti-phishing Chrome extension to fall victim to the very threat its trying to keep away from.
Paul Moore, a data security expert, transferred a video to YouTube on Thursday indicating how Google’s new Password Alert system can be tricked by including only seven lines of code to a site. Password Alert, a free extension for Google’s Chrome Web browser, was revealed Wednesday. The tool is designed to alert users if they’ve landed on a malicious site that is pretending to be Google in order to take private data, a practice also called phishing.
“In short, anybody looking to launch a phishing attack against a Google account just needs to add those seven lines to render the Password Alert security useless,” Moore told Forbes in a meeting on Friday. “It’s a embarrassment really.”
Not long after Moore exploited the extension, Google’s Drew Hintz wrote about his Twitter that the flaw was “fixed” and that users could update the extension to defend themselves from the issue.
Password Alert attempts keep passwords safe by preventing users from inputting their Google password on other sites and stoping them from reusing Google passwords on non-Google sites. Whenever a Google password is input into a site, Password Alert shows a message saying “Your Gmail password was just exposed to a non-Gmail page,” and tells users to change their Gmail password instantly.
The idea behind Password Alert is to prevent phishing attacks. Phishing is a technique employed by a malicious hacker that poses as a legitimate organization or organization to steal sensitive data, for example, passwords, social security numbers or credit card numbers. In many cases, those phishing attacks replicate the designs of an organization’s site or email template.
Google did not immediately respond to a request for comment.
Source : Cnet