Bypassing Google Password Alert with One Line of Code
- 1 minGoogle Password Alert has become very popular recently. It’s practical and a great defensive way to mitigate phishing damages against Google users.
It has been bypassed several times as soon as it arrives, and Google has patched all the known techniques. After hearing that Google had patched all known techniques, I thought about testing it to see how long it would take me to bypass it.
My first idea was to use documents.write and encode the phishing page in Unicode, and see the results. The method worked successfully in v1.12.
I reported the vulnerability to Google via the Google VRP page, and the team member asked me to write it to the project’s Github page. I reported it to GitHub on June 24 and did not receive a response from Google about patching the bypass. The next version, v1.13, has been released without fixing the issue. Therefore, the bypass is currently working on v1.13.
Github Report: https://github.com/google/password-alert/issues/72
A complete example would be as the following:
“html
<script>document.write("[PAGE IN UNICODE]");</script>
``
Demonstration Video:
Final Thoughts:
-
Google Password Alert is a great idea, as it helps prevent phishing attacks, the greatest threat to many companies. I would love to see the following updates with new improvements towards it.
-
The bypass process took me about five minutes (including thinking); it was not a difficult challenge. I hope that Google puts more effort into preventing evading techniques.
Related Posts
- Introducing LLMQuery Framework: Scaling GenAI Automation with Prompt Templates
- Engineering Learnings from the CrowdStrike Falcon Outage
- Secrets Patterns DB: Building Open-Source Regex Database for Secret Detection
- Speaking at BlakcHat MEA 2022
- DoS Attacks are Dead: Demystifying Practical DoS Attacks
