Google Tweaks 'Password Alert' After Researcher Bypasses It With 7 Lines Of Code
You have to respect that Google is trying to help its users avoid unwittingly giving away their passwords, but it’s a little unnerving that a researcher was able to neutralize the Password Alert notification so soon after it appeared. Google fixed the vulnerability quickly and immediately spread the word that a new version of the extension is available for users.
Password Alert is designed to give you a notification when you enter your Gmail password into a site that isn’t a Google site. The concept is good – if you are unknowingly entering your password into a phishing site, this notification should give you a heads up before you hand over your login info. Of course, it only works when the notification appears. Paul Moore managed to kill the notification as soon as it appears, making it so you won’t notice the notification at all. The attack requires only seven lines of code.
As we mentioned, Google responded quickly and updated the extension to version 1.4 to prevent this kind of attack. It looks as though Password Alert may still be vulnerable, as Paul Moore announced this morning on Twitter that there is already a new bypass.
Password Alert is designed to give you a notification when you enter your Gmail password into a site that isn’t a Google site. The concept is good – if you are unknowingly entering your password into a phishing site, this notification should give you a heads up before you hand over your login info. Of course, it only works when the notification appears. Paul Moore managed to kill the notification as soon as it appears, making it so you won’t notice the notification at all. The attack requires only seven lines of code.
As we mentioned, Google responded quickly and updated the extension to version 1.4 to prevent this kind of attack. It looks as though Password Alert may still be vulnerable, as Paul Moore announced this morning on Twitter that there is already a new bypass.
