On Thursday, Ars reported that a new service that warns when Google account users' passwords are phished had been bypassed by a drop-dead simple exploit, just 24 hours after Google had rolled out the Chrome plugin. Within hours of publication, Google issued an update that blocked the exploit. Now the same researcher has figured out a way to block the new version, too.
The newer exploit, which circumvents Thursday night's release of version 1.4, relies on just three lines. It works by refreshing the browser page after each password character is entered. That causes a browser to behave as if only one character of the password has been entered. Consequently, the warning is never displayed. The newer exploit has limitations, however. If the phishing target types the password too slowly, the browser will catch up to the constant refreshing and display the warning as Google engineers intended. Still, the bypass works about 90 percent of the time, said Paul Moore, the UK-based security researcher who devised both attacks. It wouldn't be surprising to see Google release yet another patch that may or may not be bypassed yet again.