Behold: the drop-dead simple exploit that nukes Google’s Password Alert

Less than 24 hours after Google unveiled a Chrome extension that warns when user account passwords get phished, a security researcher has devised a drop-dead simple exploit that bypasses it.

This benign proof-of-concept exploit looks almost identical to a Google login page, and is typical of a malicious phishing page that attempts to trick people into entering their user name and password. If Google's freely available Password Alert extension was better designed, it would provide a warning as soon as someone tried to log into the page with their Google password. Instead, the warning is completely suppressed. (Note: although Ars fully trusts the researcher, readers are strongly advised not to enter passwords for Google accounts they use for anything other than testing purposes.) A video of the bypass exploit is here

Bypassing Google's Password Alert "Protection"

"It beggars belief," Paul Moore, an information security consultant at UK-based Urity Group who wrote the exploit, told Ars. "The suggestion that it offers any real level of protection is laughable." He went on to say Google would do better devoting its resources to supporting the use of password managers, since most of them provide much more effective protections against phishing attacks.

Read 3 remaining paragraphs | Comments