Researcher Bypasses Google Password Alert For Second Time

Trailrunner7 writes with this excerpt: A security researcher has developed a method–actually two methods–for defeating the new Chrome Password Alert extension that Google released earlier this week.

The Password Alert extension is designed to warn users when they're about to enter their Google passwords into a fraudulent site. The extension is meant as a defense against phishing attacks, which remain a serious threat to consumers despite more than a decade of research and warnings about the way the attacks work.

Just a day after Google released the extension, Paul Moore, a security consultant in the U.K., developed a method for bypassing the extension. The technique involved using Javascript to look on a given page for the warning screen that Password Alert shows users. The method Moore developed then simply blocks the screen, according to a report on Ars Technica. In an email, Moore said it took him about two minutes to develop that bypass, which Google fixed in short order.

However, Moore then began looking more closely at the code for the extension, and Chrome itself, and discovered another way to get around the extension. He said this one likely will be more difficult to repair.

"The second exploit will prove quite difficult (if not near impossible) to resolve, as it leverages a race condition in Chrome which I doubt any single extension can remedy. The extension works by detecting each key press and comparing it against a stored, hashed version. When you've entered the correct password, Password Alert throws a warning advising the user to change their password," Moore said.

Re:

[Anonymous Coward]

This extension seems like an ordinary keylogger: 'The extension works by detecting each key press ...'
I wonder which no such agency gets the results.

Comment removed

[account_deleted]

Comment removed based on user account deletion

hunter2

[Lehk228]

hey it works

Re:

[CoderJoe]

12345sameAsMyLuggage

Re:

[CoderJoe]

Hey....

Re:

[NotInHere]

Obligatory: http://bash.org/?244321 [bash.org]

I don't know why he says it can't be blocked.

[140Mandak262Jamuna]

Basically the first exploit was something like a pop-up blocker that blocked the alert page from being displayed. The second one is to refresh the page at every keystroke so that the key-logging and watching extension never sees the full password, so it does not alert the user. A page that calls the refresh method for every key stroke is suspicious. The alert extension could look for this behavior and report it. Even the first exploit involving the pop-up blocker could be scanned for. The trigger for the alert-window-blocker must be obfuscated to escape detection.

I hate to say, but...

[Kergan]

Google, WTF? Are you seriously going to settle with letting a security researcher break your security gizmo twice in a row in two days? Your credibility is on the line here... [Grabs popcorn]

Another way to bypass it

[FalleStar]

After reading the summary, I went ahead and downloaded the extension to see if I could figure out a way to bypass it. I tried a few more obvious methods first, all of which were detected by the extension.

My 4th attempt at bypassing the extension seems to work just fine though. It works by binding the window.onkeyup and window.onkeydown methods, determining which character corresponds to the key being pressed, then appending that character to the username or password fields if one of them has focus. Once the value has been added to the appropriate field, the event is cancelled using e.preventDefault(). I put a proof-of-concept up on my site [fallestar.com] in case anyone is interested. Here's the raw code for that page [pastebin.com] if you don't want to go to some random SlashDot poster's website.

This method only took a few minutes for me to come up with, so I'm probably not the first one to figure this out, but I thought I'd share anyways.

Re:

[swillden]

Nicely done.

I expect this may turn into something of an arms race between phishing page authors and Google. The cleverest phishers may be able to stay consistently ahead of the extension, but I expect that they'll have to work for it... or would if significant numbers of people used the extension. I just checked the Chrome Web Store and so far there have only been 67K downloads. That's something but it's a long, long way from universal coverage.

The positive aspect of that is that as long as usage remain

Re:

[swillden]

BTW, FalleStar, I reported your attack to the Password Alert team. They've made a number of changes which defeat your attack as well as a large class of similar attacks. The new release hasn't been pushed out to users yet, I don't think, but I'd expect you'll see an update before too much longer.

The Password Alert team thanks you for your report. Actually, they thanked me, but I didn't do anything other than pass messages, so I'm passing it along to you.

Too bad there's no Vulnerability Reward Program fo

Use the original article

[thrill12]

... on ars technica: http://arstechnica.com/security/2015/05/01/googles-new-version-of-password-alert-blocking-bypass-is-bypassed/ [arstechnica.com]. This one also has the original author of the exploit commenting on his findings.

Chrome extension model is flawed

[Anonymous Coward]

It's always bothered me that the primary way that an extension will add extra UI elements around the edge of the page is to modify the page DOM itself, making it possible for the extension to be detected by the code within the page monitoring for particular elements. For example, this makes it trivial to detect FlashBlock, Ghostery and other such extensions in their default configurations.

Instead, Chrome should provide a real API for overlaying captions onto the page that is independent of the page itself.

A