SoylentNews is people
SoylentNews
Google has been obliged to revise its Password Alert anti-phishing protection just hours after releasing it when security researchers showed how the technology was easily circumvented.
Security consultant Paul Moore (@Paul_Reviews) has published a proof-of-concept JavaScript exploit that skirted the defensive technology with just seven lines of code.
The Password Alert for Chrome browser plug-in is meant to trigger alerts for users in cases when they are induced to hand over their password to counterfeit sites impersonating Google (other online services aren't covered).
The extension only kicks into action after users have signed into their Google account; thereafter it puts up warnings to reset Gmail passwords in cases where users are taken in by a phish.
The problem is these alerts can be shut down with minimum effort and a few lines of JavaScript planted on counterfeit sites. More specifically, Moore's script looks for a warning banner every five milliseconds before removing anything it detects. Other approaches aimed at preventing humans actually seeing a warning – effectively killing off alerts kill[sic] as soon as they are generated – might also have been possible.
Moore posted a short video on YouTube to highlight his concerns.
http://www.theregister.co.uk/2015/05/01/google_password_alert_easily_disabled_6_lines_javascript/
[Also Covered By]: http://arstechnica.com/security/2015/04/30/behold-the-drop-dead-simply-exploit-that-nukes-googles-password-alert/
(Score: 3, Informative) by Anonymous Coward on Sunday May 03 2015, @09:26PM
Woah there, the Nazis may have been committing war crimes and genocide but they never did something as attrocious as writing JavaScript malware.
(Score: 4, Funny) by fishybell on Sunday May 03 2015, @10:23PM
FTFY
(Score: 3, Interesting) by Nerdfest on Sunday May 03 2015, @10:49PM
I used to really hate JavaScript. Due to ending up spending too much time chasing down problems that ended up being client-side problems caused by badly written JavaScript, I've been spending time writing JavaScript, and it does have a lot of really good features. The bad stuff is mostly inconsistencies, which do really annoy me, as as well as a few important missing pieces like namespaces. If you use something like RequireJS to give namespace/dependency support, and actually write unit tests (QUnit!) it's a useful language that can be used to write maintainable code. It really amazes me that more people write unit tests for Java, a strictly typed language, than JavaScript, a dynamically typed one. One of the biggest strikes against JavaScript seems to be that most of it seems to be written by brogrammers in a 'yeah, that seems to work most of the time' sort of fashion.
(Score: 2, Insightful) by anubi on Monday May 04 2015, @01:10AM
I agree that JavaScript is very powerful and useful.
So is a C++ compiler.
They both have to potential to be misused. Big time.
I can do some very nasty things with nothing more than GWBasic ( arrays and poke! ).
People would think it asinine to attach .exe into .txt files, so that by just opening the text file to read it, you "agree to and hold harmless whatever the inserted .exe file does.".
Yet we do this with JavaScripts.
Would you sign contracts without reading them? That's exactly what you are doing running scripts without reading them.
The powers that be are trying to instigate a meme where we trust, do not verify, and hold harmless the script distributors.
No wonder we are having so much trouble with malware on the web.
Congress has created this problem by signing in one-sided law. Privileges must be balanced with accountability - not "hold harmless".
A JavaScript laced page is no longer a page. It now has executables in it. It is an app.
Only the coder of it knows what it really does. He may not be tellin'! The way the copyright laws are written, we aren't even supposed to be able to bypass his "digital locks" to see if he is up to no good.
Even high level name-brand businesses are demonstrating they cannot be trusted by their use of tricky business-talk in their business communications... who thinks any code they can run in my machine won't be just as misleading?
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by maxwell demon on Monday May 04 2015, @07:29AM
People effectively do that all the time, by clicking "I Agree" buttons.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by anubi on Monday May 04 2015, @07:52AM
Uh... I believe this is one of the ways the system is getting us used to this.
Wouldn't it be neat if we could "work with" our credit card companies the way businesses "work with" Congress so that we can put terms and conditions they must agree to in order to receive payment?
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by darkfeline on Monday May 04 2015, @07:57AM
I've heard that most end user agreements wouldn't hold up in court though. I suppose we just need a breakthrough case that rules that end user agreements aren't binding, especially the "We are not responsible if this software kills your mother" part, ESPECIALLY for closed source software.
Join the SDF Public Access UNIX System today!
(Score: 2) by nightsky30 on Sunday May 03 2015, @11:14PM
Ah, no need for redundancy. Nice!