Comments (5)
Hey -- I'm not sure that's what's going on here -- this isn't a bypass of the extension. That string lookup is only used to save the password from accounts.google.com.
It's probably easier to see what's going on if you check out the non-minified/compiled scripts in this repo, e.g. https://github.com/google/password-alert/blob/master/chrome/content_script.js
from password-alert.
@semenko As a matter of fact (and you can see this as well) this script is detecting if the page is in fact a phishing-page (look at the console.log implementation), the script is checking if the element is in place as well.
Please give me full explenation or don't comment at all.
Thanks!
- Mischa R. van Geelen (@RickGeex)
from password-alert.
Yup -- phishing detection is well known to be fragile -- and isn't considered to be a real security issue. See the bottom of: https://github.com/google/password-alert/blob/master/SECURITY.md
from password-alert.
@semenko, Yup! But unfortunately for you, your talking about Google's Bug Bounty Program.
And fyi it is a security vulnerability (in my opinion).
from password-alert.
Hi @mgeex ,
Thanks for the report. Password Alert has currently has two detection methods:
- Password-based where it detects where your password is typed.
- Page-based where it examines the HTML for particular strings from legitimate login pages. This is the detection method that you're discussing in this issue. For example, see passwordalert.looksLikeGooglePageTight_. The purpose of this is to do a quick check for phishing sites that have copy/pasted the legitimate login form.
As you've pointed out, it's easy to bypass by ensuring that your phishing page does not have any of the strings that are being checked for. One advantage of this is that enterprises can configure the corp_html_tight_
and corp_html_
to protected their custom sign-on pages. For example here's the default HTML snippet that your example avoids:
passwordalert.corp_html_tight_ = [
// From https://accounts.google.com/ServiceLogin
('<form novalidate="" method="post" ' +
'action="https://accounts.google.com/ServiceLoginAuth" ' +
'id="gaia_loginform">'),
I'll elaborate on this subject in the technical security description file and describe the limitations of the page-based HTML checks.
@semenko Thanks for replying and helping out!
from password-alert.
Related Issues (20)
- Deployment Guide referenced in the README is from 2015
- Multiple issues deploying server app into AppEngine HOT 3
- Password alert extension not working HOT 3
- Google API Client 404 Error HOT 1
- Any way to remove these? HOT 2
- Deployment broken with new oauth2client package
- help ? HOT 1
- admin app doesn't work
- Can't see Password Alert logs on Chrome
- FEATURE REQUEST - Firefox extension HOT 1
- [email protected]
- Is Allowed Hosts still functional on https://work.google.com/passwordalert ?
- Unable to run install_deps HOT 2
- Bug: Corrupt manifest.json in Chrome Webstore HOT 1
- Incompatible with Chrome OS
- TypeError undefined for filter
- BHacks
- migrate to manifest v3
- 500 error HOT 6
- Tests can't be run. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from password-alert.