Sign up to our newsletter
Google has taken a stand against phishing attacks by revealing Password Alert: a Chrome extension designed to neutralize them after a user is taken in, reports SC Magazine.
Password Alert is a free, open-source extension, designed to spot when you type your Google password into a site outside of the Google domain. The service stores an encrypted version of a user’s Google password which the browser then cross-checks every time you type a password into a non-Google external site. If it spots a match, a notification window will appear, suggesting you reset your password right away.
What’s more, Mashable reports, enterprise users of Google for Work can have it so that Password Alert is set across a domain, and can opt-in for administrators to receive notifications as users do, potentially alerting them to early threats.
Users who repeat the same password across sites will get inaccurate notifications, of course, though security experts recommend against reusing passwords in any case – so prompting a change may not be such a bad thing. Nonetheless, the extension does allow the user to turn off alerts for specific sites, should they wish.
However, ZDNet reports that Google has already been forced to update Password Alert after a security expert devised a few lines of code that could mute the alert notifications. Paul Moore from Urity Group created a proof-of-concept web page that looks like a Google login page – at the time of writing, Google flags the page as a phishing site.
Google has updated the extension, bringing it to version 1.4, but according to ZDNet, Moore has managed to bypass it again with a similar short code. Hopefully the extension will continue to be updated to keep phishers at bay.
At the time of writing, the extension has been downloaded by 27,797 users, according to Google’s own figures.
Author Alan Martin, ESET