A few hours ago, Google released the Password Alert extension that was designed to warn users when they are submitting their Google credentials to fraudulent websites.
“Here’s how it works for consumer accounts. Once you’ve installed and initialized Password Alert, Chrome will remember a ‘scrambled’ version of your Google Account password. It only remembers this information for security purposes and doesn’t share it with anyone. If you type your password into a site that isn’t a Google sign-in page, Password Alert will show you a notice like the one below. This alert will tell you that you’re at risk of being phished so you can update your password and protect yourself,” Drew Hintz and Justin Kosslyn of Google wrote in a post on the new extension.
The security community welcomed the news, the extension will allow to reduce the effect of phishing attacks that still represent a serious threat to the end-users.
Unfortunately, just a 24 hours after the release of the extension, the satisfaction was ruined by the news that a security researcher has already developed two methods for defeating the new Chrome Password Alert extension.
The British expert Paul Moore developed a first method for bypassing the Google extension that relies on Javascript that look on the phishing page for the warning message that Password Alert provides to users and block it.
Moore explained to Ars Technica experts that it took him about two minutes to write the seven lines of codes used to bypass the Google Password Alert Extension.
“The first bypass required just seven lines of code to completely obfuscate the warning that the older Password Alert extension displayed when Chrome users entered their Google account password into a non-Google website. The warning told users their Google password had been intercepted by bad guys and advised users to change it right away. The first exploit relied on a JavaScript-based timer that searches the loaded webpage for instances of Google’s warning screen and simply removes it. Technically, the warning window still appears, but the exploit prevented the user from ever seeing it.” reports Ars Technica.
Moore spent more time trying to circumvent the extension, and discovered another method that relies on a race condition in Chrome difficult to fix.
“The second exploit will prove quite difficult (if not near impossible) to resolve, as it leverages a race condition in Chrome which I doubt any single extension can remedy. The extension works by detecting each key press and comparing it against a stored, hashed version. When you’ve entered the correct password, Password Alert throws a warning advising the user to change their password,” Moore explained.
“In the old version, this warning was handled in the DOM which is obviously vulnerable because the extension and malicious code share the same origin. In the new version, the warning window is handled by the UA itself and, because it’s no longer within the same origin, javascript cannot alter/hide the warning screen. However, we can trick the UA into thinking the user hasn’t entered the password.”
By exploiting this second method an attacker can prevent the Password Alert extension from seeing the whole password.
“By refreshing the page after each key press, the UA and event handlers attached to that session never see the entire password, so the warning is never fired,” Moore added.
“So instead of: “CorrectHorseBatteryStaple” -> /login.html -> valid hash -> warning window
the UA sees
“C” -> /login.html -> invalid hash
“o” -> /login.html -> invalid hash
“r” -> /login.html -> invalid hash
… and so on. The only caveat being instances where the user enters the password *very* slowly, which the extension handles as expected.”
Also in this case the development of the exploit took a few minutes.
“To be honest, I can’t think of way to do it without introducing other, far more serious issues. One possibility is persisting input states across multiple tabs/windows, which I doubt is even possible with tabs/extensions being isolated from each other,” Moore explained.
(Security Affairs – Password Alert extension, Google)