Sign in / up

back to article Google Password Alert could be foiled with just 7 lines of JavaScript

Google has been obliged to revise its Password Alert anti-phishing protection just hours after releasing it when security researchers showed how the technology was easily circumvented. Security consultant Paul Moore (@Paul_Reviews) has published a proof-of-concept JavaScript exploit that skirted the defensive technology with …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Doctor_Wibble

    Stop using the web!

    This is the only solution! Nothing is safe so don't use the web for anything of any importance. Ever.

    You can return to your interwebnet activities just as soon as we can develop a properly secured interactive communication system, preferably based on some bastardised offspring of IRC and gopher.

    Maybe once that's done we can add some graphics and a bit of scripting to enhance the user experience, possibly the odd advert or two to help cover costs, it will be completely different from what we have now...

    3 1 Reply
    1. Crazy Operations Guy
      Reply Icon

      Re: Stop using the web!

      Meh, Gopher is just a bastardized version of UUCP...

      0 0 Reply
  2. h4rm0ny

    How did they fix it?

    It was my understanding that the Chrome extensions could only act within the DOM thus making any approach defeatable in theory. I'm envisaging this fix they've just released changing the id of the element from "browser_warning" to "browser_warning2"!

    Now I'm sure that's not the case, but I am interested to know how one could actually get around this. Generate random ids for the DIV? Give the DIV no id at all? What did they actually do to fix this because if it's in the DOM there should be a way to defeat it.

    0 0 Reply
    1. Crazy Operations Guy
      Reply Icon

      Re: How did they fix it?

      Normally extensions are restricted to a specific DOM, but this is Google, they can do whatever the hell they want since Chrome trusts Google code enough to run outside of the sandbox.

      1 0 Reply
  3. YetAnotherJoeBlow

    Dooh

    The page can manipulate back -- because....

    Wait a minute, they knew that...

    The whole idea is wrong, Java based. All this from a company that knows better.

    1 4 Reply
    1. Mark 85
      Reply Icon

      Re: Dooh

      All this from a company that claims it knows better than anyone else.

      FTFY

      2 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like