Google pumps out updates to security extension to patch vulnerabilities

Persistent problems are plaguing the Google engineers who developed an anti-phishing extension for Chrome.

Google HQ
Google HQ
Within hours of the release of Password Alert – a Google Chrome extension that warns users if they have revealed their password to a phishing site masquerading as a Google authentication page – security consultant Paul Moore had worked out how to disable the extension with just seven lines of code. 

Placing a few lines of Javascript in the code for a phishing page suppresses Password Alert's warning messages in just one-200th of a second. “As it fires so rapidly, the alert appears and disappears too quickly to be detectable by the user,” Moore told Forbes over email. “In short, anyone looking to launch a phishing attack against a Google account simply needs to add those seven lines to render the Password Alert protection useless… It's an embarrassment really.”

The problem was quickly fixed by Google with the release of version 1.4 of the extension, but more problems cropped up over the next few days as Moore and others developed additional exploits.

A Netherlands security firm identified a way to bypass the extension by altering the input. As Securify's Niels Croese explained to SecurityWeek, Password Alert works by listening to the JavaScript keypress event and recording the keystrokes. The characters are hashed and matched to the Google password which is stored in hashed format. When a match is recorded, it triggers the warning message.

Croese says Securify's bypass works by listening to the keystroke events and adding random characters to confuse Password Alert.

In the course of several days, Google released version 1.5 and 1.6 of the extension to patch the vulnerabilities as they were reported.

But Moore and Securify claim there are still vulnerabilities to be exploited, and Moore is sceptical that some of them can ever be patched.

In an email to SCMagazineUK.com, Moore outlined nine known weaknesses in the coding and concept behind Password Alert.

  1. Hide the warning div (detailed above, patched in 1.4)
  2. Refresh the page on key press (discovered by Moore, not patched as of 1.6)
  3. Intercept key press events (originally by securify.nl but PoC didn't work, re-factored by Moore and patched as of 1.6)
  4. Sandbox an IFRAME (by securify.nl, not patched as of 1.6)
  5. Add hidden content to push exploit beyond the scope (believed to have been discovered by securify.nl and not patched as of 1.6)
  6. Prevent propagation on key press (by Steve Thomas @Sc00bzT and patched as of 1.5)
  7. Bind onkeyup and onkeydown events to fake input (by @fallestar, not patched as of 1.6)
  8. Alter form ID to bypass detection (by "mgeex", not patched as of 1.6 - link)
  9. Force plugin to corrupt completely (published 7/5/15 by Paul Moore and not patched as of 1.6 - link)

Moore said that most of these exploits can be resolved easily but a few are difficult if not impossible to fix. “I can't see how Securify's sandbox exploit can be resolved without nullifying the sandbox completely.  Likewise my ‘refresh on keypress' [exploit number 2 above] bypass. It works by exploiting a race condition which an extension probably cannot resolve,” he told SC via email.

“These exploits, some of which are downright comical, put the user at a disadvantage, not the attacker.  It will help protect against the simplest of phishing attacks and for that, Google should be commended, but it arguably offers little protection against more sophisticated attacks,” he added.

Gavin Millard, technical director of Tenable Network Security, told SC via email, “It's surprising that Google, a member of the FIDO alliance that is working on simplifying and strengthening authentication, managed to miss some pretty rudimentary approaches to circumventing the extension. The fact that Moore has identified the flaws so Google can address them is beneficial to users, but I'm surprised they were present in the first place."

The ease with which the anti-phishing extension can be bypassed makes it useless, according to Phil Lieberman, CEO of Lieberman Software Corporation, adding that the problem is endemic to browser plug-ins for security.

In an email, Lieberman told SC, “The reasons for the weakness are numerous, but fundamentally they all come down to how a browser extension works (or can't work) which make phishing almost impossible to defeat unless means outside the browser are used.”

Peter Stancík, ESET security expert, told SC that it's impossible for a developer to anticipate every security scenario. “There are many researchers analysing security aspects of new applications, especially those with a big user base and/or those developed by big names – and vulnerabilities are found,” he said. “At least the vulnerability was found very quickly and the authors can take appropriate actions.”

Lieberman warned: “Users should not be fooled into thinking security browser extensions are 100 percent reliable.”

Stancík agreed that users should not rely on this extension, advising people to check the authenticity of the websites they visit by scrutinising the URL and certificate.