A simple script exploit can take down Google’s latest anti-phishing extension, Password AlertProof of Concept
Paul Moore, a information security consultant at UK based Urity Group has written a simple code exploit for Password Alert extension. Moore pooh poohed the thought of Google’s extension providing top level security to Google users, “It beggars belief, the suggestion that it offers any real level of protection is laughable.”
Proof of Concept
Moore’s bypass requires the following few lines of code: The PoC video is given below : Lines 2 & 8 are the start & end of a Javascript block. Lines 3 & 7 (setinterval) tells the UA to carry out what’s inside the function every x milliseconds (5 in this case). Line 4 checks to see if the warning_banner (the window which the Password Alert plugin creates when it finds a phishing site) exists. This line isn’t strictly necessary, but to hide any errors which may alert the user, it’s included. Line 5 searches the DOM for an element with an ID of “warning_banner” and removes it. Basically, the script runs every 5 milliseconds, searches the page for instances of Google’s warning screen and simply removes it. That’s it. Technically, the warning window still appears… but it disappears so quickly, the user wouldn’t know.
Google has acted very fast on the exploit written by Moore and updated Password Alert to version 1.4 to prevent Moore’s bypass code from working. Google engineer Drew Hintz tweeted about the fix :
— Drew Hintz (@DrewHintz) May 1, 2015 To update your Password Alert, go to chrome://extensions/, enable developer mode, and click update extensions now.