Connect with us

Hi, what are you looking for?



Researchers Keep Finding Bugs in Google’s Password Alert Extension

Researchers have identified several ways to bypass Password Alert, an anti-phishing extension for Chrome launched last week by Google. The search giant has started patching some of the issues, but it’s having a hard time keeping up with researchers.

Researchers have identified several ways to bypass Password Alert, an anti-phishing extension for Chrome launched last week by Google. The search giant has started patching some of the issues, but it’s having a hard time keeping up with researchers.

Password Alert is designed to warn users when they enter their Google account credentials on a non-Google website. This protects internauts against phishing attacks, and discourages password reuse. However, researchers have demonstrated that malicious actors could easily bypass the open-source extension, which has already been installed by more than 70,000 users.

UK-based security consultant Paul Moore managed to bypass the tool shortly after it was launched with just seven lines of code. Moore’s first exploit, patched by Google with the release of Password Alert 1.4, was designed to quickly remove the warning displayed by the extension before users could see it.

“The first version was bypassed in seconds. I simply opened Chrome debugger, realised the ‘warning_banner’ was inside the DOM and removed it with Javascript,” Moore told SecurityWeek.

Netherlands-based security firm Securify has also identified a way to bypass Password Alert.

“The Password Alert extension uses the JavaScript keypress event to record user keystrokes on web pages. These recorded keystrokes are hashed and matched against the hashed Google password. If the hashes match, an alert page is shown,” Securify’s Niels Croese explained. “This bypass also listens to the JavaScript keypress event and sends a keypress event of it’s own every time the user presses a key. This way, when the user is typing his password into an input field, the Password Alert extension will be recording not only the user keystrokes but also the simulated keystrokes by the bypass code, preventing the hash generated from the keystrokes from ever matching the password hash, effectively bypassing the detection.”

This bypass was patched by Google with the release of version 1.5, along with a vulnerability identified by Steve Thomas (@Sc00bzT).

Advertisement. Scroll to continue reading.

Google has already released version 1.6 of Password Alert but, according to Moore, there are several exploits that still haven’t been patched.

Moore has disclosed exploits for refreshing the page on keypress, and forcing the plugin to become corrupted. Securify and a couple of other researchers has also identified multiple exploits that have not been addressed yet.

Moore believes some of the security holes are easy to fix, but others are difficult, if not impossible, to resolve.

“These exploits, some of which are downright comical, put the user at a disadvantage, not the attacker. It will help protect against the simplest of phishing attacks and for that, Google should be commended, but it arguably offers little protection against more sophisticated attacks,” Moore told SecurityWeek.

Croese also believes that the extension is not 100% effective. The expert says Google should inform users that Password Alert is not perfect in fending off phishing attacks and advise them to stay alert even if they have the extension installed.

“I think the plugin does add some security. In most situations it will work as it is supposed to, at least for as long as it’s not a widely known and used extension forcing every creator of phishing websites to bypass it. Like in many cases in IT security it is a constant back and forth between attackers and defenders: the attackers find a bypass, the defenders implement countermeasures,” Croese told SecurityWeek. “You could compare this with anti-malware products: they protect you against most known threats, but in some cases an unknown threat will slip past the defenses until the product developers bring out an update.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.