Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Sunday May 03 2015, @08:12PM   Printer-friendly
from the whoopsie! dept.

Google has been obliged to revise its Password Alert anti-phishing protection just hours after releasing it when security researchers showed how the technology was easily circumvented.

Security consultant Paul Moore (@Paul_Reviews) has published a proof-of-concept JavaScript exploit that skirted the defensive technology with just seven lines of code.

The Password Alert for Chrome browser plug-in is meant to trigger alerts for users in cases when they are induced to hand over their password to counterfeit sites impersonating Google (other online services aren't covered).

The extension only kicks into action after users have signed into their Google account; thereafter it puts up warnings to reset Gmail passwords in cases where users are taken in by a phish.

The problem is these alerts can be shut down with minimum effort and a few lines of JavaScript planted on counterfeit sites. More specifically, Moore's script looks for a warning banner every five milliseconds before removing anything it detects. Other approaches aimed at preventing humans actually seeing a warning – effectively killing off alerts kill[sic] as soon as they are generated – might also have been possible.

Moore posted a short video on YouTube to highlight his concerns.

http://www.theregister.co.uk/2015/05/01/google_password_alert_easily_disabled_6_lines_javascript/

[Also Covered By]: http://arstechnica.com/security/2015/04/30/behold-the-drop-dead-simply-exploit-that-nukes-googles-password-alert/

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by maxwell demon on Monday May 04 2015, @07:29AM

    by maxwell demon (1608) on Monday May 04 2015, @07:29AM (#178356) Journal

    Would you sign contracts without reading them?

    People effectively do that all the time, by clicking "I Agree" buttons.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1) by anubi on Monday May 04 2015, @07:52AM

    by anubi (2828) on Monday May 04 2015, @07:52AM (#178363) Journal

    Uh... I believe this is one of the ways the system is getting us used to this.

    Wouldn't it be neat if we could "work with" our credit card companies the way businesses "work with" Congress so that we can put terms and conditions they must agree to in order to receive payment?

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
  • (Score: 2) by darkfeline on Monday May 04 2015, @07:57AM

    by darkfeline (1030) on Monday May 04 2015, @07:57AM (#178366) Homepage

    I've heard that most end user agreements wouldn't hold up in court though. I suppose we just need a breakthrough case that rules that end user agreements aren't binding, especially the "We are not responsible if this software kills your mother" part, ESPECIALLY for closed source software.

    --
    Join the SDF Public Access UNIX System today!