Security Experts:

Researchers Keep Finding Bugs in Google’s Password Alert Extension

Researchers have identified several ways to bypass Password Alert, an anti-phishing extension for Chrome launched last week by Google. The search giant has started patching some of the issues, but it’s having a hard time keeping up with researchers.

Password Alert is designed to warn users when they enter their Google account credentials on a non-Google website. This protects internauts against phishing attacks, and discourages password reuse. However, researchers have demonstrated that malicious actors could easily bypass the open-source extension, which has already been installed by more than 70,000 users.

UK-based security consultant Paul Moore managed to bypass the tool shortly after it was launched with just seven lines of code. Moore’s first exploit, patched by Google with the release of Password Alert 1.4, was designed to quickly remove the warning displayed by the extension before users could see it.

“The first version was bypassed in seconds. I simply opened Chrome debugger, realised the ‘warning_banner’ was inside the DOM and removed it with Javascript,” Moore told SecurityWeek.

Netherlands-based security firm Securify has also identified a way to bypass Password Alert.

“The Password Alert extension uses the JavaScript keypress event to record user keystrokes on web pages. These recorded keystrokes are hashed and matched against the hashed Google password. If the hashes match, an alert page is shown,” Securify’s Niels Croese explained. “This bypass also listens to the JavaScript keypress event and sends a keypress event of it's own every time the user presses a key. This way, when the user is typing his password into an input field, the Password Alert extension will be recording not only the user keystrokes but also the simulated keystrokes by the bypass code, preventing the hash generated from the keystrokes from ever matching the password hash, effectively bypassing the detection.”

This bypass was patched by Google with the release of version 1.5, along with a vulnerability identified by Steve Thomas (@Sc00bzT).

Google has already released version 1.6 of Password Alert but, according to Moore, there are several exploits that still haven’t been patched.

Moore has disclosed exploits for refreshing the page on keypress, and forcing the plugin to become corrupted. Securify and a couple of other researchers has also identified multiple exploits that have not been addressed yet.

Moore believes some of the security holes are easy to fix, but others are difficult, if not impossible, to resolve.

“These exploits, some of which are downright comical, put the user at a disadvantage, not the attacker. It will help protect against the simplest of phishing attacks and for that, Google should be commended, but it arguably offers little protection against more sophisticated attacks,” Moore told SecurityWeek.

Croese also believes that the extension is not 100% effective. The expert says Google should inform users that Password Alert is not perfect in fending off phishing attacks and advise them to stay alert even if they have the extension installed.

“I think the plugin does add some security. In most situations it will work as it is supposed to, at least for as long as it's not a widely known and used extension forcing every creator of phishing websites to bypass it. Like in many cases in IT security it is a constant back and forth between attackers and defenders: the attackers find a bypass, the defenders implement countermeasures,” Croese told SecurityWeek. “You could compare this with anti-malware products: they protect you against most known threats, but in some cases an unknown threat will slip past the defenses until the product developers bring out an update.”

view counter