14 DAY TRIAL // The latest version of Password Alert (1.6), the Chrome extension from Google that fights phishing attempts and bad passwords, can still be bypassed, keeping users unaware of falling victim to phishing attacks.
Google rolled out the new extension for Chrome last week, aiming at providing users with a way to take immediate action when they enter the Google password on a fraudulent page.
The protection consisted of displaying a warning that the string was typed in a fraudulent login field and offering to change the password before the attackers manage to hijack the Google account.
Password Alert updates are still inefficient
The day after Password Alert was released, security researcher Paul Moore from UK-based Urity Group showed how the phishing warning could be bypassed with a few lines of JavaScript that hid the alert (the warning would disappear before the user could see it).
Google addressed the glitch in version 1.4 of the extension, but the effort was not sufficient, as Moore came up with a new method, which suppressed the warning altogether.
Another update, to version 1.5, was released by the search giant, but it appears that the creativity of the security researchers knows no limits, as new solutions to circumvent protection have emerged, and they work even in the latest version of Password Alert, which is currently at 1.6.
Several bypass methods are available
One proof-of-concept, created by Dutch security company Securify, relies on the HTML sandbox attribute to load the phishing page in a sandboxed iframe, which blocks key press events from being generated. A video demonstrating the failure is embedded below.
Another one, credited to @FalleStar, works by cancelling the events captured by Password Alert, leading to failure to update the user of the phishing attack. Paul Moore also found a new way to snub the activity of the extension, by simply corrupting it in the browser.
The POCs currently available online have yet to be patched by Google. The problem cannot be easily fixed in some of the cases. However, Password Alert is a valid solution for simple phishing attacks.
Video from Securify demonstrating how Password Alert can be bypassed: