While the world's eyes were on the boxing ring at the MGM Grand Garden Hotel over the weekend, Google and a cybersecurity consultant have been sparring over the Chrome browser's new antiphishing extension.
Google released the Chrome extension to warn Google account holders of possible phishing attempts. Phishing pages, similar to the image below, are decorated with elements that look authentic to trick users into handing over their credentials to hackers.
"This is a common and dangerous trap: the most effective phishing attacks can succeed 45 percent of the time, nearly 2 percent of messages to Gmail are designed to trick people into giving up their passwords, and various services across the web send millions upon millions of phishing emails, every day," stated Google in the blog post announcing the extension.
Just a day after Google launched Chrome's antiphishing extension, April 30, Paul Moore, an independent cybersecurity expert, strung together seven lines of code and landed a power blow. With Moore's code embedded in a phishing attack, the warnings from the Chrome extension open and close in a fraction of a second, five milliseconds to be exact.
Here's the script in action:
"In short, anyone looking to launch a phishing attack against a Google account simply needs to add those seven lines to render the Password Alert protection useless ... It's an embarrassment really," Moore said to Forbes.
Shaking off the blow, Google raised its gloves and returned to a defensive stance with an update for the extension. On the same day the white hatter pointed out the security flaw, Google's Drew Hintz announced that the company had addressed it.
@Paul_Reviews It's now fixed in 1.4. To update quickly, go to chrome://extensions/ , enable developer mode, click update extensions now.
— Drew Hintz (@DrewHintz) May 1, 2015
A day later, Moore broke through the Chrome extension's defenses with another blow.
Now, it's Google's turn to respond. Because the extension has been hit squarely on the chin two times within days, Google may be looking at a change in tactics this time around.