Bypassing Google Password Alert with One Line of Code

- 1 min

Google Password Alert has become very popular recently. It’s practical and a great defensive way to mitigate phishing damages against Google users.

It has been bypassed several times as soon as it arrives, and Google has patched all the known techniques. After hearing that Google had patched all known techniques, I thought about testing it to see how long it would take me to bypass it.

My first idea was to use documents.write and encode the phishing page in Unicode, and see the results. The method worked successfully in v1.12.

I reported the vulnerability to Google via the Google VRP page, and the team member asked me to write it to the project’s Github page. I reported it to GitHub on June 24 and did not receive a response from Google about patching the bypass. The next version, v1.13, has been released without fixing the issue. Therefore, the bypass is currently working on v1.13.

Github Report:

A complete example would be as the following:

html <script>document.write("[PAGE IN UNICODE]");</script> ``

Demonstration Video:

Final Thoughts:

Mazin Ahmed

Mazin Ahmed

Thoughts of a hacker

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora