Saturday, July 25, 2015

Bypassing Google Password Alert with One Line of Code

Google Password Alert has became very popular recently. It’s very useful and can be a great defensive way to mitigate phishing damages against Google users.
As soon as it arrives, it has been bypassed several times, and Google has patched all the known techniques.
After I heard that Google has patched all known techniques, I thought about testing it to see how long would it takes for me to bypass it.
The first idea that came to me was to use document.write, encode the phishing page in Unicode, and see the results. The method worked successfully in v1.12.
I have reported the vulnerability to Google via Google VRP page, and the team member asked me to report it to the project's Github page. I have reported it to Github on June 24, and not received a response from Google about patching the bypass. The next version, v1.13 has been released without patching the issue. Therefore, the bypass currently working on v1.13.
Github Report:

A full example would be as the following:
<script>document.write("[PAGE IN UNICODE]");</script> 
Demonstration Video:

Final Thoughts:
  • Google Password Alert is a great idea, as it helps preventing phishing attacks, the greatest threat to many companies. I would love to see next updates with new improvements towards it.
  • The whole bypass process took me about five minutes (including thinking), it was not a difficult challenge. I hope that Google puts more efforts into preventing evading techniques.

No comments:

Post a Comment