Back at the end of April, Google unveiled an ingenious new extension called Password Alert—one that notifies you any time you’ve entered your Google password into a non-Google website or form.
Originally, it was intended to prompt you immediately with a warning that you’ve been phished, along with a link to your Gmail settings for a password reset—a great idea, but unfortunately not airtight for Google. Only a few days after releasing the extension, reports came in from Paul Moore, a security researcher who quickly found a way to exploit the extension.
Not a perfect defense
Drew Hintz, a Google engineer, was quick to follow with an update to circumvent the problem, but to no avail… using 3 simple lines of code, Moore bypassed the extension again, preventing the proper warning message by refreshing the page after each character of the password is entered, duping the trigger for the warning.
While this back-and-forth between developer and researcher may continue for a while, Moore didn’t outright lambast Password Alert: “it will help protect against the simplest of phishing attacks and for that, Google should be commended, but it arguably offers little protection against more sophisticated attacks,” he recently told Securityweek.
So should you try out Password Alert for yourself? While there’s no such thing as a true “silver bullet” for security, we’d recommend holding off on this extension until Google has put it through its paces, because it isn’t airtight—yet. If you want to stay up to date on this extension check out the Password Alert FAQ and/or extension page.