This week, Google launched a new service that warns users when their account passwords have been compromised. But it’s already been bypassed by an extremely simple exploit just 24 hours after Google rolled out the Chrome plugin. With a few hours, Google was forced to issue an update that blocked the exploit. And the research who found the original exploit has figured out a way to block the new version too.
Google password alert system compromised within hours
The new exploit, which gets around Thursday’s release of version 1.4, uses just 3 lines of code. It simply refreshes the browser page after every password character is entered, causing the web browser to behave as if only one character has been entered. That means the warning is never displayed either. The new hack has a few limitations, though. If the user types the password too slowly, the browser catches up and displayed the warning as Google intends. But apparently the attack works about 90% of the time, according to Paul Moore, a UK-based security researcher who came up with both attacks.
It’s highly likely that Google will release yet another patch, that may or may not be able to be bypassed. The whole thing just highlights the issues of security on the web. Someone makes a secure system and attackers work out how to break it. Then the defender makes refinements that block the attack and the attacker then works around it, and on and on. It can take years!