Install Google Password Alert?
Google suffered an embarrassing moment just a day after it released a free browser extension intended to protect users against phishing attacks. Google fixed the mistake quickly, but the fix is also vulnerable to being bypassed. Should you install the Google Password Alert tool anyway? I say yes... |
What is Google's Password Alert Tool?
The extension is called password Alert. Once you have logged in to your Google account, Password Alert will warn you if you enter your Google password on any non-Google Web page, such as a fake “Google Mail sign in” page erected by a phisher. Password Alert will urge you to change your Google account password “immediately.”
Password Alert was released on April 29. In less than 24 hours, security consultant Paul Moore posted a YouTube video demonstrating how to defeat Password Alert by adding “just seven lines of (JavaScript) code” to a phisher’s Web page. Basically, Moore’s simple program scans the user’s screen for the Password Alert warning every 5 milliseconds and deletes it before the warning can be read, or even noticed by most people.
“In short, anyone looking to launch a phishing attack against a Google account simply needs to add those seven lines to render the Password Alert protection useless,” Moore told Forbes in an interview on May 1.
Google issued a patched update of Password Alert within a few hours of Moore’s revelation. But by May 1, Moore had demonstrated that the “fixed” version could also be defeated by a few lines of JavaScript. Other security researchers joined the fun, and so far nine ways to bypass Password Alert have been devised. As of this writing, Google has responded to 3 of those, but the latest version (v1.6) does not address them all.
Perhaps Password Alert should be returned to the development department and entirely re-designed. It should not be necessary for me to go change my Google password “immediately” or ever. If Password Alert knows that I am not on a legitimate Google page and that I just entered my Google password, it should not allow that password to be transmitted to the phishing page, unless the user explicitly overrides the warning. What is so difficult about this?
A Work in Progress...
Are you using Two-Factor Authentication? It sounds geeky, but it's actually easy to do and very important. See SECURITY TIP: Two Factor Authentication to learn how.
Password Alert (when it works) also prevents re-use of Google passwords on otherwise legitimate sites, a good security practice as far as it goes. However, it won’t stop me from using my bank site’s password on a bogus site, or Netflix, or Facebook, etc. “Use a unique password on each site” is good advice that could be enforced by Password Alert or something similar.
So far, just over 70,000 users have downloaded the Password Alert extension from the Google Chrome Web Store. I don’t believe Password Alert will be a runaway hit. But those who are using it should be aware of its limitations and vulnerabilities.
Just to be clear, using the flawed Password Alert does NOT make you any more vulnerable to malware attacks. If anything, it makes you marginally safer. The problem identified by the researchers is that the warnings normally presented by Password Alert can be "silenced" if the webmaster of a malicious site adds additional code to block them.
So even the current version (assuming it's not fixed by the time you read this) is beneficial in the sense that it will warn you against re-using your Google password on non-Google sites. It will even work on malicious sites that have not added the blocking code. Chrome extensions update automatically, and I expect that Google will give this full attention over the next few days. So I still think it's a good idea to install this one, especially if you tend to be sloppy with password reuse.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 4 May 2015
For Fun: Buy Bob a Snickers. |
Prev Article: Mobile Malware: No Big Deal? |
The Top Twenty |
Next Article: Are You Sharing Your Wifi? |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Install Google Password Alert? (Posted: 4 May 2015)
Source: https://askbobrankin.com/install_google_password_alert.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Install Google Password Alert?"
Posted by:
Jim
04 May 2015
Just use Lastpass and you won't need to worry about phishing attacks, as Lastpass will not fill in your password on a phishing site. Roboform, 1password, and others probably do the same (although I do not have personal experience with those password managers and cannot say for certain).
Posted by:
Chris
04 May 2015
I read where password managers that use the clipboard also have issues, as it's easy to monitor the clipboard for password info, capture it and send it off to who knows where.
Posted by:
MmeMoxie
04 May 2015
Not interested, in this Extension for Chrome or Google.
I have Lastpass, plus Avast!, which let's me know, that I am at a BAD website. Avast! will block any website, that isn't deemed GOOD.
So far, I am pleased with all of my protective programs, Avast!, Malwarebytes and Lastpass. I am good, to go. :)
Posted by:
jmke
04 May 2015
If Jim or Bob can answer, is this LastPass feature available in the free and/or Premium version? Thanks
Posted by:
Pablo Cassels
04 May 2015
Basically, password alert should simply alert you that you are on a phising, or other suspect, site.
On another note, what do you think of the Google Chrome extension Sidekick? Worthy add on, or just an invasion of privacy?
Posted by:
Whipsnard
04 May 2015
Is this problem strictly with Chrome?
EDITOR'S NOTE: This is not a problem with Chrome. This is a benefit of using Chrome, which is not available to those who use other browsers.
Posted by:
Chuck
05 May 2015
Does my use of Google's Two-step verification provide any security against this?
EDITOR'S NOTE: If by "this" you mean the Password Alert tool, then let me clarify... This article was not about a security vulnerability. It was about a tool to help you be more careful with your passwords. If by "this" you mean the possibility that you might accidentally expose your Google password by entering it on a phishing site, then yes, two-step verification will protect you because the phishing site owners would need more than just your password to login.