It took just a day for Google’s anti-phishing Chrome extension to fall victim to the very threat it’s trying to avoid.
Paul Moore, an information security consultant, uploaded a video to YouTube on Thursday showing how Google’s new Password Alert system can be duped by adding just seven lines of code to a website. Password Alert, a free extension for Google’s Chrome Web browser, was unveiled Wednesday. The tool is designed to alert users if they’ve landed on a malicious site that’s pretending to be Google in order to steal private information, a practice also known as phishing.
“In short, anyone looking to launch a phishing attack against a Google account simply needs to add those seven lines to render the Password Alert protection useless,” Moore told Forbes in an interview on Friday. “It’s an embarrassment really.”
Soon after Moore exploited the extension, Google’s Drew Hintz reported on his Twitter that the flaw was “fixed” and that users could update the extension to safeguard themselves from the issue.
Password Alert attempts keep passwords safe by preventing users from inputting their Google password on other sites and stoping them from reusing Google passwords on non-Google sites. Whenever a Google password is input into a website, Password Alert shows a message saying “Your Gmail password was just exposed to a non-Gmail page,” and tells users to change their Gmail password immediately.
The idea behind Password Alert is to prevent phishing attacks. Phishing is a technique employed by a malicious hacker that poses as a legitimate company or organization to steal sensitive information, such as passwords, social security numbers or credit card numbers. In many cases, those phishing attacks replicate the designs of a company’s website or email template.
As seen in his video, Moore created a fake Google login page that, at first blush, looked identical to the search company’s real page. However, the page had JavaScript code built-in that changed how Password Alert operated. The code reduced the warning message’s display to five milliseconds, making it practically impossible to see and ultimately letting users fall victim to phishing attacks.
Moore has punted the ball back to Google. In an update to his Twitter account on Friday, he revealed another JavaScript flaw that exploited the latest, patched update. Google has yet to respond to that flaw.
Google did not immediately respond to a request for comment.