Google Chrome users who inadvertently get hooked by a non-Gmail phishing page and enter their password can now be notified by a new extension: Password Alert. Once an internal Google solution only, Password Alert is available for external user download.
According to WIRED, phishing continues to be “one of the most serious and intractable problems in information security, and is often the initial breach point for hacker schemes.” The new extension’s alert gives users the opportunity to immediately reset their Gmail password. This can be particularly helpful, or annoying, since many use the same password (“password1,” anyone?) across multiple accounts — other email sites, banking and more. The extension will alert users when they use that password on those sites, which “could lead users to give up the bad habit of sharing passwords between sites.” Future versions of the alert will offer the option to monitor other passwords as well.
Not long after the extension’s release, Google was forced to update it after security expert Paul Moore revealed a weakness in the code. According to Forbes, Moore demonstrated that it only took seven lines of JavaScript to bypass the alert service, calling it an “embarrassment.” Google quietly responded with an updated version. Moore countered, claiming to have discovered yet another JavaScript bypass.
In an interview with Forbes, password expert Per Thorsheim advises consumers and businesses that plan to use the new extension to conduct a risk analysis:
“It is a novel idea from Google and should be developed further. In its current form it doesn’t look good.”
0 Comments