Google Chrome Anti-Phishing Extension Already Bypassed – Update

Spread the love

The Chrome extension that can warn against phishing Google passwords can already be circumvented via a simple exploit. The exploit was also quickly countered by Google with an update, but early adopters still have to do that manually.

That writes Arstechnica. The proof-of-concept exploit comes less than 24 hours after the extension was released. The Password Alert Chrome extension compares the text entered to a hash of the Google password and can warn when the password is entered on a non-Google site.

The exploit uses Javascript to check every five milliseconds for the warning from Google. Once that is the case, the notification will be removed immediately. This happens so fast that the user never sees the warning.

Security researcher Paul Moore of British security firm Urity Group says the suggestion that any degree of security is provided at all is dangerous. According to Moore, Google better spend its time teaching people how to use password managers.

Soon after the exploit appeared, Google replaced the Password Alert extension to version 1.4. Users who have already installed the extension can update the extension faster by checking Developer mode in Chrome’s settings under Extensions and then updating the extensions.

Update May 4 13.06: from a tweet turns out that another way has been found to circumvent the extension

You might also like