Google’s anti-phishing Chrome extension ‘Password Alert’ exploited with just 7 lines of code!

By  | 

It just took seven lines of code to foil Google’s recently released anti-phishing Chrome extension Password Alert.

Paul Moore, an information security consultant at UK firm Urity Group, uploaded a video to YouTube on Thursday showing how a few lines of code can be used by anyone to bypass the tool.

According to the search giant, the free Chrome extension released Wednesday, works by alerting users before they enter account information on “phishing” pages, or imitation sites designed to steal passwords and access personal information, such as emails or online bank accounts.

The new extension shows an alert and gives user a chance to immediately reset the Gmail password when it finds the user is typing his or her Gmail password into a login page that’s not an actual Google login.

“In short, anyone looking to launch a phishing attack against a Google account simply needs to add those seven lines to render the Password Alert protection useless,” Moore told Forbes in an interview on Friday.

“It’s an embarrassment really.”

Google swiftly responded to Moore’s PoC exploit with an update to patch it.

Google’s Drew Hintz noted on his Twitter that the flaw was “fixed” and that users could update the extension to safeguard themselves from the issue.

“It’s now fixed in 1.4. To update quickly, go to chrome://extensions/ , enable developer mode, click update extensions now,” he wrote.

Unfortunately, the update could not stop Moore from exploiting Password Alert again. Moore announced on his Twitter that he’d managed to bypass version 1.4 as well.

So, we can expect Google to issue another update in the coming days.