On Thursday, Ars reported that a new service that warns when Google account users’ passwords are phished had been bypassed by a drop-dead simple exploit, just 24 hours after Google had rolled out the Chrome plugin. Within hours of publication, Google issued an update that blocked the exploit. Now the same researcher has figured out a way to block the new version, too.
The first bypass required just seven lines of code to completely obfuscate the warning that the older Password Alert extension displayed when Chrome users entered their Google account password into a non-Google website. The warning told users their Google password had been intercepted by bad guys and advised users to change it right away. The first exploit relied on a JavaScript-based timer that searches the loaded webpage for instances of Google’s warning screen and simply removes it. Technically, the warning window still appears, but the exploit prevented the user from ever seeing it.
