Bypassing Google's Password-Alert Anti-Phishing Protection w/o Javascript about password-alert HOT 5 CLOSED

Hey -- I'm not sure that's what's going on here -- this isn't a bypass of the extension. That string lookup is only used to save the password from accounts.google.com.

It's probably easier to see what's going on if you check out the non-minified/compiled scripts in this repo, e.g. https://github.com/google/password-alert/blob/master/chrome/content_script.js

from password-alert.

@semenko As a matter of fact (and you can see this as well) this script is detecting if the page is in fact a phishing-page (look at the console.log implementation), the script is checking if the element is in place as well.

Please give me full explenation or don't comment at all.

Thanks!

• Mischa R. van Geelen (@RickGeex)

from password-alert.

Yup -- phishing detection is well known to be fragile -- and isn't considered to be a real security issue. See the bottom of: https://github.com/google/password-alert/blob/master/SECURITY.md

from password-alert.

@semenko, Yup! But unfortunately for you, your talking about Google's Bug Bounty Program.

And fyi it is a security vulnerability (in my opinion).

from password-alert.

Hi @mgeex ,

Thanks for the report. Password Alert has currently has two detection methods:

1. Password-based where it detects where your password is typed.
2. Page-based where it examines the HTML for particular strings from legitimate login pages. This is the detection method that you're discussing in this issue. For example, see passwordalert.looksLikeGooglePageTight_. The purpose of this is to do a quick check for phishing sites that have copy/pasted the legitimate login form.

As you've pointed out, it's easy to bypass by ensuring that your phishing page does not have any of the strings that are being checked for. One advantage of this is that enterprises can configure the corp_html_tight_ and corp_html_ to protected their custom sign-on pages. For example here's the default HTML snippet that your example avoids:

passwordalert.corp_html_tight_ = [
  // From https://accounts.google.com/ServiceLogin
  ('<form novalidate="" method="post" ' +
   'action="https://accounts.google.com/ServiceLoginAuth" ' +
   'id="gaia_loginform">'),

I'll elaborate on this subject in the technical security description file and describe the limitations of the page-based HTML checks.

@semenko Thanks for replying and helping out!

from password-alert.