A few hours ago, Google released the Password Alert extension that was designed to warn users when they are submitting their Google credentials to fraudulent websites.
“Here’s how it works for consumer accounts. Once you’ve installed and initialized Password Alert, Chrome will remember a ‘scrambled’ version of your Google Account password. It only remembers this information for security purposes and doesn’t share it with anyone. If you type your password into a site that isn’t a Google sign-in page, Password Alert will show you a notice like the one below. This alert will tell you that you’re at risk of being phished so you can update your password and protect yourself,” Drew Hintz and Justin Kosslyn of Google wrote in a post on the new extension.
The security community welcomed the news, the extension will allow to reduce the effect of phishing attacks that still represent a serious threat to the end-users.
Unfortunately, just a 24 hours after the release of the extension, the satisfaction was ruined by the news that a security researcher has already developed two methods for defeating the new Chrome Password Alert extension.
Moore explained to Ars Technica experts that it took him about two minutes to write the seven lines of codes used to bypass the Google Password Alert Extension.
Moore spent more time trying to circumvent the extension, and discovered another method that relies on a race condition in Chrome difficult to fix.
“The second exploit will prove quite difficult (if not near impossible) to resolve, as it leverages a race condition in Chrome which I doubt any single extension can remedy. The extension works by detecting each key press and comparing it against a stored, hashed version. When you’ve entered the correct password, Password Alert throws a warning advising the user to change their password,” Moore explained.
By exploiting this second method an attacker can prevent the Password Alert extension from seeing the whole password.
“By refreshing the page after each key press, the UA and event handlers attached to that session never see the entire password, so the warning is never fired,” Moore added.
“So instead of: “CorrectHorseBatteryStaple” -> /login.html -> valid hash -> warning window
the UA sees
“C” -> /login.html -> invalid hash
“o” -> /login.html -> invalid hash
“r” -> /login.html -> invalid hash
… and so on. The only caveat being instances where the user enters the password *very* slowly, which the extension handles as expected.”
Also in this case the development of the exploit took a few minutes.
“To be honest, I can’t think of way to do it without introducing other, far more serious issues. One possibility is persisting input states across multiple tabs/windows, which I doubt is even possible with tabs/extensions being isolated from each other,” Moore explained.
(Security Affairs – Password Alert extension, Google)