From PC World: For the past several days security researchers have raced to demonstrate that phishing protections added by a new Google Chrome extension can be bypassed with ease.
The Password Alert extension, developed by Google and released Wednesday, is designed to alert Chrome users when they input their Gmail passwords on websites that don’t belong to Google and are therefore part of phishing attacks.
By Thursday, an information security consultant named Paul Moore had already devised a method that attackers could use to block the extension’s alerts.
Google fixed that initial bypass in a new version released Friday, but since then it’s been a cat and mouse game between Google’s developers and security researchers who kept finding more and more ways to defeat the extension.
At the moment, the tally stands at nine bypasses, the latest of which was developed by Moore today. According to the researcher, only three of them have been patched by Google so far. The extension’s latest version—1.6—was released Friday.
The majority of these exploits can be resolved easily, but a couple are difficult, if not impossible, to fix, Moore said Monday via email.
View: Article @ Source Site
