The problem was quickly fixed by Google with the release of version 1.4 of the extension, but more problems cropped up over the next few days as Moore and others developed additional exploits.
Croese says Securify's bypass works by listening to the keystroke events and adding random characters to confuse Password Alert.
In the course of several days, Google released version 1.5 and 1.6 of the extension to patch the vulnerabilities as they were reported.
But Moore and Securify claim there are still vulnerabilities to be exploited, and Moore is sceptical that some of them can ever be patched.
In an email to SCMagazineUK.com, Moore outlined nine known weaknesses in the coding and concept behind Password Alert.
- Hide the warning div (detailed above, patched in 1.4)
- Refresh the page on key press (discovered by Moore, not patched as of 1.6)
- Intercept key press events (originally by securify.nl but PoC didn't work, re-factored by Moore and patched as of 1.6)
- Sandbox an IFRAME (by securify.nl, not patched as of 1.6)
- Add hidden content to push exploit beyond the scope (believed to have been discovered by securify.nl and not patched as of 1.6)
- Prevent propagation on key press (by Steve Thomas @Sc00bzT and patched as of 1.5)
- Bind onkeyup and onkeydown events to fake input (by @fallestar, not patched as of 1.6)
- Alter form ID to bypass detection (by "mgeex", not patched as of 1.6 - link)
- Force plugin to corrupt completely (published 7/5/15 by Paul Moore and not patched as of 1.6 - link)
Moore said that most of these exploits can be resolved easily but a few are difficult if not impossible to fix. “I can't see how Securify's sandbox exploit can be resolved without nullifying the sandbox completely. Likewise my ‘refresh on keypress' [exploit number 2 above] bypass. It works by exploiting a race condition which an extension probably cannot resolve,” he told SC via email.
“These exploits, some of which are downright comical, put the user at a disadvantage, not the attacker. It will help protect against the simplest of phishing attacks and for that, Google should be commended, but it arguably offers little protection against more sophisticated attacks,” he added.
Gavin Millard, technical director of Tenable Network Security, told SC via email, “It's surprising that Google, a member of the FIDO alliance that is working on simplifying and strengthening authentication, managed to miss some pretty rudimentary approaches to circumventing the extension. The fact that Moore has identified the flaws so Google can address them is beneficial to users, but I'm surprised they were present in the first place."
The ease with which the anti-phishing extension can be bypassed makes it useless, according to Phil Lieberman, CEO of Lieberman Software Corporation, adding that the problem is endemic to browser plug-ins for security.
In an email, Lieberman told SC, “The reasons for the weakness are numerous, but fundamentally they all come down to how a browser extension works (or can't work) which make phishing almost impossible to defeat unless means outside the browser are used.”
Peter Stancík, ESET security expert, told SC that it's impossible for a developer to anticipate every security scenario. “There are many researchers analysing security aspects of new applications, especially those with a big user base and/or those developed by big names – and vulnerabilities are found,” he said. “At least the vulnerability was found very quickly and the authors can take appropriate actions.”
Lieberman warned: “Users should not be fooled into thinking security browser extensions are 100 percent reliable.”
Stancík agreed that users should not rely on this extension, advising people to check the authenticity of the websites they visit by scrutinising the URL and certificate.