Hacker Bypassed Google's Password Alert Extension

Hacker Bypassed Google's Password Alert Extension

Just hours after Google released it's password alert extension, a hacker came up with a simple exploit that bypasses it.

Researcher Paul Moore demonstrated it with a webpage that looks like Google login page, which contains the following additional code:

<!-- BYPASS GOOGLE'S PASSWORD ALERT "PROTECTION" -->
<script type="text/javascript">
setInterval(function() {
if(document.getElementById("warning_banner")) {
document.getElementById("warning_banner").remove();
}
}, 5);
<script>

How It Works ?

The researcher said, "the Lines 3 & 7 (setinterval) tells the UA to carry out what’s inside the function every 5 milliseconds."

"Line 4 checks to see if the warning_banner (the window which the Password Alert plugin creates when it finds a phishing site) exists. This line isn’t strictly necessary, but to hide any errors which may alert the user, it’s included."

"Line 5 searches the DOM for an element with an ID of  'warning_banner' and removes it. Basically, the script runs every 5 milliseconds, searches the page for instances of Google’s warning screen and simply removes it. That’s it. Technically, the warning window still appears… but it disappears so quickly, the user wouldn't know."

Here is the video demonstrating the bypass:


The Google acted so quickly and released an update for Password Alert (version 1.4) to prevent Moore's bypass from working. So the users who installed the extension are advised to go to chrome://extensions/ and then enable developer mode, and click update extensions now.

No comments

Powered by Blogger.