Just seven lines of code were used to dupe the anti-phishing tool. Google fixed the problem, but a new flaw has apparently been revealed.
Former CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
It took just a day for Google's anti-phishing Chrome extension to fall victim to the very threat it's trying to avoid.
Paul Moore, an information security consultant, uploaded a video to YouTube on Thursday showing how Google's new Password Alert system can be duped by adding just seven lines of code to a website. Password Alert, a free extension for Google's Chrome Web browser, was unveiled Wednesday. The tool is designed to alert users if they've landed on a malicious site that's pretending to be Google in order to steal private information, a practice also known as phishing.
"In short, anyone looking to launch a phishing attack against a Google account simply needs to add those seven lines to render the Password Alert protection useless," Moore told Forbes in an interview on Friday. "It's an embarrassment really."
Soon after Moore exploited the extension, Google's Drew Hintz reported on his Twitter that the flaw was "fixed" and that users could update the extension to safeguard themselves from the issue.
Password Alert attempts keep passwords safe by preventing users from inputting their Google password on other sites and stoping them from reusing Google passwords on non-Google sites. Whenever a Google password is input into a website, Password Alert shows a message saying "Your Gmail password was just exposed to a non-Gmail page," and tells users to change their Gmail password immediately.
The idea behind Password Alert is to prevent phishing attacks. Phishing is a technique employed by a malicious hacker that poses as a legitimate company or organization to steal sensitive information, such as passwords, social security numbers or credit card numbers. In many cases, those phishing attacks replicate the designs of a company's website or email template.
Google did not immediately respond to a request for comment.