On Thursday, Ars reported that a new service that warns when Google account users' passwords are phished had been bypassed by a drop-dead simple exploit, just 24 hours after Google had rolled out the Chrome plugin. Within hours of publication, Google issued an update that blocked the exploit. Now the same researcher has figured out a way to block the new version, too.
The first bypass required just seven lines of code to completely obfuscate the warning that the older Password Alert extension displayed when Chrome users entered their Google account password into a non-Google website. The warning told users their Google password had been intercepted by bad guys and advised users to change it right away. The first exploit relied on a JavaScript-based timer that searches the loaded webpage for instances of Google’s warning screen and simply removes it. Technically, the warning window still appears, but the exploit prevented the user from ever seeing it.
The newer exploit, which circumvents Thursday night's release of version 1.4, relies on just three lines. It works by refreshing the browser page after each password character is entered. That causes a browser to behave as if only one character of the password has been entered. Consequently, the warning is never displayed. The newer exploit has limitations, however. If the phishing target types the password too slowly, the browser will catch up to the constant refreshing and display the warning as Google engineers intended. Still, the bypass works about 90 percent of the time, said Paul Moore, the UK-based security researcher who devised both attacks. It wouldn't be surprising to see Google release yet another patch that may or may not be bypassed yet again.