Well, that didn't take long: earlier this week, Google introduced a new anti-phishing tool called Password Alert to its Chrome browsers. Password Alert would show you a warning if you type your Google password into a site that isn't a Google sign-in page.
So if, for example, a scammer sent you an email purportedly (but not really) from Google, claiming there's some problem with your Google account so you should click the link in this-here email to log in and type your password when asked – Password Alert would send you a warning notice advising you to reset your password since it had just been typed into a non-Google page.
But it took less than 24 hours for security researchers to discover a workaround which ArsTechnica called a “drop-dead simple exploit that nukes Google's password alert.”
Paul Moore, an information security consultant with the UK-based Urity Group, developed a simple proof-of-concept exploit, shown here,which looks convincingly similar to a genuine Google login page even though it's completely fake, with no connection to Google at all — yet if you're in Chrome and type your password into it (don't try this yourself), you won't see Google's Password Alert warning because the program will suppress it.
A proof of concept (or PoC) exploit is an example of white-hat hacking (or “good guy” hacking). PC Mag's encyclopedia defines a PoC exploit as: “An attack against a computer or network that is performed only to prove that it can be done. It generally does not cause any harm, but shows how a hacker can take advantage of a vulnerability in the software or possibly the hardware.”
To its credit, Google swiftly responded to news of Moore's PoC exploit with an update to patch it. Yesterday, a Google engineer took to Twitter to say that Password Alert has been updated to version 1.4, in order to prevent Moore's PoC exploit from working:
It's now fixed in 1.4. To update quickly, go to chrome://extensions/ , enable developer mode, click update extensions now.