While the world's eyes were on the boxing ring at the MGM Grand Garden Hotel over the weekend, Google and a cybersecurity consultant have been sparring over the Chrome browser's new antiphishing extension.
Google is going to have to do better than this, the consultant said after punching through the extensions' defenses with a jab consisting of just a few lines of Javascript.
Google released the Chrome extension to warn Google account holders of possible phishing attempts. Phishing pages, similar to the image below, are decorated with elements that look authentic to trick users into handing over their credentials to hackers.
"This is a common and dangerous trap: the most effective phishing attacks can succeed 45 percent of the time, nearly 2 percent of messages to Gmail are designed to trick people into giving up their passwords, and various services across the web send millions upon millions of phishing emails, every day," stated Google in the blog post announcing the extension.
Just a day after Google launched Chrome's antiphishing extension, April 30, Paul Moore, an independent cybersecurity expert, strung together seven lines of code and landed a power blow. With Moore's code embedded in a phishing attack, the warnings from the Chrome extension open and close in a fraction of a second, five milliseconds to be exact.
Here's the script in action:
"In short, anyone looking to launch a phishing attack against a Google account simply needs to add those seven lines to render the Password Alert protection useless ... It's an embarrassment really," Moore said to Forbes.
Shaking off the blow, Google raised its gloves and returned to a defensive stance with an update for the extension. On the same day the white hatter pointed out the security flaw, Google's Drew Hintz announced that the company had addressed it.
@Paul_Reviews It's now fixed in 1.4. To update quickly, go to chrome://extensions/ , enable developer mode, click update extensions now.
— Drew Hintz (@DrewHintz) May 1, 2015
A day later, Moore broke through the Chrome extension's defenses with another blow.
#Google #PasswordAlert version 1.4 bypassed, again! cc @dangoodin001 @jleyden @gcluley @troyhunt @EduardKovacs pic.twitter.com/JrvrlFBYWN — Paul Moore (@Paul_Reviews) May 1, 2015
Now, it's Google's turn to respond. Because the extension has been hit squarely on the chin two times within days, Google may be looking at a change in tactics this time around.
