For the second time in less than a week, Google has updated its Password Alert extension for Chrome to address a method for bypassing the warning screens that alert users that they’re entering data on a non-Google site. However, the researcher who discovered the most-recent bypass method said his technique still works on the latest version.
Last week Google released the Password Alert extension as a method for protecting Chrome users from some phishing attacks. When a user enters her Google account information into a site that’s not owned by Google, the extension will throw up a warning screen letting the user know of the problem and recommending a password change. Within a few hours researcher Paul Moore developed a technique that allowed him to suppress the warning screen from the extension.
Google pushed an update to address that issue, but Moore soon found another way to get around the Password Alert extension, this time by refreshing the page each time the user presses a key while entering her password.
“In the old version, this warning was handled in the DOM which is obviously vulnerable because the extension and malicious code share the same origin. In the new version, the warning window is handled by the UA itself and, because it’s no longer within the same origin, javascript cannot alter/hide the warning screen. However, we can trick the UA into thinking the user hasn’t entered the password,” Moore said.
In an email, Moore said that method still works on version 1.6 of the extension, which was pushed out on Friday. He also said that there are several other known methods for bypassing the extension that still work as of the latest version. Google officials said last week that the company would continue to fix problems that came up and that they expected researchers to test the limits of the extension.