Bypassing Google Password Alert with One Line of Code

- 1 min

Google Password Alert has became very popular recently. It’s very useful and can be a great defensive way to mitigate phishing damages against Google users.

As soon as it arrives, it has been bypassed several times, and Google has patched all the known techniques. After I heard that Google has patched all known techniques, I thought about testing it to see how long would it takes for me to bypass it.

The first idea that came to me was to use document.write, encode the phishing page in Unicode, and see the results. The method worked successfully in v1.12.

I have reported the vulnerability to Google via Google VRP page, and the team member asked me to report it to the project’s Github page. I have reported it to Github on June 24, and not received a response from Google about patching the bypass. The next version, v1.13 has been released without patching the issue. Therefore, the bypass currently working on v1.13.

Github Report: https://github.com/google/password-alert/issues/72

A full example would be as the following:

<script>document.write("[PAGE IN UNICODE]");</script>

Demonstration Video:

Final Thoughts:

Mazin Ahmed

Mazin Ahmed

Thoughts of a hacker

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora