Google’s new Password Alert system is already broken


This week, Google launched a new service that warns users when their account passwords have been compromised. But it’s already been bypassed by an extremely simple exploit just 24 hours after Google rolled out the Chrome plugin. With a few hours, Google was forced to issue an update that blocked the exploit. And the research who found the original exploit has figured out a way to block the new version too.

Google password alert system compromised within hours

The first way to bypass the system required just 7 lines of code to confuse the Password Alert extension displayed in Chrome, when users enter their Google password into a non-Google website. The warning told web users that their Google password had been intercepted and suggested changing it immediately. The first exploit around this used a Javascript timer that searches the webpage for instances of the Google warning screen and just removes it. The warning window technically still appears however, but the exploit mean that the user would not see it.

Google Bypass Code

The new exploit, which gets around Thursday’s release of version 1.4, uses just 3 lines of code. It simply refreshes the browser page after every password character is entered, causing the web browser to behave as if only one character has been entered. That means the warning is never displayed either. The new hack has a few limitations, though. If the user types the password too slowly, the browser catches up and displayed the warning as Google intends. But apparently the attack works about 90% of the time, according to Paul Moore, a UK-based security researcher who came up with both attacks.

It’s highly likely that Google will release yet another patch, that may or may not be able to be bypassed. The whole thing just highlights the issues of security on the web. Someone makes a secure system and attackers work out how to break it. Then the defender makes refinements that block the attack and the attacker then works around it, and on and on. It can take years!


Comments are closed.