Just seven lines of code were required to bypass Google?s Password Alert service when it was released earlier this week. Security expert Paul Moore tore into the Chrome browser extension, which warns a user when they are typing their Google GOOGL +0.33% password into a scam, or phishing site, with some simple JavaScript that would kill alerts as soon as they started to appear.
In his proof of concept exploit, he showed what happened when he copied a Gmail login page, which didn?t include his evil JavaScript, and tried to type in a password. The alerts worked, but they didn?t show when he added the code, which checked for the warning banner every five milliseconds and made it disappear as soon as it was launched.? ?As it fires so rapidly, the alert appears and disappears too quickly to be detectable by the user,? Moore told FORBES over email.
?In short, anyone looking to launch a phishing attack against a Google account simply needs to add those seven lines to render the Password Alert protection useless? It?s an embarrassment really.?
Password expert Per Thorsheim said that anyone planning on using the tool, whether consumers or businesses, should carry out a risk analysis. ?It is a novel idea from Google and should be developed further. In its current form it doesn?t look good.?
Read more at FORBES
