Google’s phishing anti-phishing extension turned out to be useless

This week, Google proudly unveiled a new Chrome browser extension called Password Alert. It was designed to protect users from stealing their passwords with phishing sites.

Phishing is one of the most popular and successful password theft systems. The victim receives an email that looks like a real letter from his favorite service (for example, Gmail). The letter somehow justifies the need to urgently go to the site of the system, and provides a link to the site. The user follows the link and on the site of the system enters his login and password.
')
The essence of the attack is that the user clicks the link not on the site of the system, but on the site of the attacker who looks exactly the right one. Thus, the attacker gets the username and password of the user.

As planned by the developers of protection against phishing, Password Alert stores a hash of the password to your Gmail account. If a user enters a password with such a hash on some other site, the extension blows an alarm, showing a pop-up warning box.

The very next day after the blog was published, Paul Moore, a security specialist from the UK, found a ridiculously easy way for an attacker to turn off the warning. The fact is that Password Alert has embedded the code to display the window in a regular DOM. The following code removes the warning window from there:

<script type="text/javascript"> setInterval(function() { if(document.getElementById("warning_banner")) { document.getElementById("warning_banner").remove(); } }, 5); </script> 

Promptly responding to the statement of Moore, the developers have updated the extension. Now it showed a banner, using the interface of the browser, but not DOM. But on them there was a gap and this time.

After a little tinkering, Moore realized that the extension was checking the password entry, filtering keyboard input that occurs after the page is fully loaded. If after entering each character of the password to reload the page, the extension will receive only one character, so it will not be able to track the fact of entering the password in the text field.

Because of this, Password Alert, although it will be useful, but in no case will not be a panacea. According to a cunning researcher, such a plan of protection cannot be done without seriously reworking the browser’s workflow or password entry system.