Google’s Password Alert extension for Chrome, which was released on Wednesday, has received its first critical security update less than 24 hours later, as infosec consultant Paul Moore came up with a simple exploit that bypasses it.
To demonstrate it, he created a page that looks very much like a Google login page, and inserted the following code in it:
As he explained to Dan Goodin, the code searches for the warning_banner (the window which the Password Alert plugin creates when it finds a phishing site) and if it finds it, it removes it.
The action is repeated every 5 milliseconds, effectively removing the warning window so fast that it’s impossible for users to notice its existence.
“The suggestion that [the extension] offers any real level of protection is laughable,” Moore commented, and advised Google to push users to opt for password managers instead, as they can’t be easily that fooled by phishing pages.
UPDATE: And, apparently, Moore did it again, this time by making the code refresh the browser page after each password character is entered, preventing the triggering of the alert.