SoylentNews is people
SoylentNews
Google has been obliged to revise its Password Alert anti-phishing protection just hours after releasing it when security researchers showed how the technology was easily circumvented.
Security consultant Paul Moore (@Paul_Reviews) has published a proof-of-concept JavaScript exploit that skirted the defensive technology with just seven lines of code.
The Password Alert for Chrome browser plug-in is meant to trigger alerts for users in cases when they are induced to hand over their password to counterfeit sites impersonating Google (other online services aren't covered).
The extension only kicks into action after users have signed into their Google account; thereafter it puts up warnings to reset Gmail passwords in cases where users are taken in by a phish.
The problem is these alerts can be shut down with minimum effort and a few lines of JavaScript planted on counterfeit sites. More specifically, Moore's script looks for a warning banner every five milliseconds before removing anything it detects. Other approaches aimed at preventing humans actually seeing a warning – effectively killing off alerts kill[sic] as soon as they are generated – might also have been possible.
Moore posted a short video on YouTube to highlight his concerns.
http://www.theregister.co.uk/2015/05/01/google_password_alert_easily_disabled_6_lines_javascript/
[Also Covered By]: http://arstechnica.com/security/2015/04/30/behold-the-drop-dead-simply-exploit-that-nukes-googles-password-alert/
(Score: 1) by anubi on Monday May 04 2015, @07:52AM
Uh... I believe this is one of the ways the system is getting us used to this.
Wouldn't it be neat if we could "work with" our credit card companies the way businesses "work with" Congress so that we can put terms and conditions they must agree to in order to receive payment?
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]