​Google updates Password Alert to block attack that mutes phishing warnings

Google has fixed a bug in its new phishing alert extension that allowed an attacker to mute alerts about potential phishing attacks. But one security expert says the update has been bypassed too.

The roughly 30,000 Chrome users who installed Google's new phishing-alert extension Password Alert now need to install a security update.

Google only released Password Alert on Wednesday and it's already been forced to fix the product after Paul Moore, an information security consultant at UK firm Urity Group, devised a few lines of code that can be used by anyone to bypass the tool.

Google released the free Chrome extension to give Gmail users extra protection against rogue websites that attempt to lure them into giving away their credentials using phishing techniques. The extension is also intended to protect Google at Work and Drive at Work accounts from phishing attacks.

Read this

Will the enterprise help triple Chromebook sales by 2017?

Sales of Google's Chromebooks to businesses could hit eight million a year by 2018, according to Gartner.

Read More

Password Alert stores a hashed version of the user's password and if the user type their Gmail password into any non-Google site, it will flag a warning that tells them to reset the password.

However, Moore quickly discovered a way to mute the warning and yesterday released a proof of concept exploit that looks, as phishing pages do, exactly like Google's login page. Ars Technica drew attention to the exploit on Thursday and as it notes, it's probably not wise for users to type their passwords into the page. Google currently flags Moore's page as a phishing site.

Moore posted the relevant lines of code yesterday and explained that the tool "can be defeated with a function which removes the warning banner from the DOM with a setinterval."

Google security engineer Drew Hintz yesterday said the company has now fixed the flaw, bringing the tool up to version 1.4. "To update quickly, go to chrome://extensions/ , enable developer mode, click update extensions now," he said.

However, Moore told ZDNet that version 1.4 has now also been bypassed with a similarly short but quite as simple snippet of code.

"So we're back to square one," he said in an email.

In other words, expect Google to issue another update in the coming days.

While Moore lauded Google's efforts to raise awareness about phishing, he said Password Alert is not ready for prime time yet and thus may introduce risk by giving users a false sense of security.

"I'm all for raising awareness, but users will naturally assume this extension mitigates the risk and likely never give it a second thought. It's a great idea in principle but in its current state, it's more a proof of concept than a viable, trustworthy product," said Moore.

The extension has been installed from the Chrome Web Store by nearly 28,000 users, according to Google's figures.

Despite the bypass, Google's head of the webspam team Matt Cutts has defended the product as a worthwhile effort. "A world in which every single phisher in the world has to play catchup/counterattack is a better world than today," he said.

Read more on Chrome security