Hanno's blog

A few days ago Google released a Chrome extension that emits a warning if a user types in his Google account password on a foreign webpage. This is meant as a protection against phishing pages. Code is on Github and the extension can be installed through Google's Chrome Web Store.

When I heard this the first time I already thought that there are probably multiple ways to bypass that protection with some Javascript trickery. Seems I was right. Shortly after the extension was released security researcher Paul Moore published a way to bypass the protection by preventing the popup from being opened. This was fixed in version 1.4.

At that point I started looking into it myself. Password Alert tries to record every keystroke from the user and checks if that matches the password (it doesn't store the password, only a hash). My first thought was to simulate keystrokes via Javascript. I have to say that my Javascript knowledge is close to nonexistent, but I can use Google and read Stackoverflow threads, so I came up with this:

<script>
function simkey(e) {
if (e.which==0) return;
var ev=document.createEvent("KeyboardEvent");
ev.initKeyboardEvent("keypress", true, true, window, 0, 0, 0, 0, 0, 0);
document.getElementById("pw").dispatchEvent(ev);
}
</script>
<form action="" method="POST">
<input type="password" id="pw" name="pw" onkeypress="simkey(event);">
<input type="submit">
</form>

For every key a user presses this generates a Javascript KeyboardEvent. This is enough to confuse the extension. I reported this to the Google Security Team and Andrew Hintz. Literally minutes before I sent the mail a change was committed that did some sanity checks on the events and thus prevented my bypass from working (it checks the charcode and it seems there is no way in webkit to generate a KeyboardEvent with a valid charcode).

While I did that Paul Moore also created another bypass which relies on page reloads. A new version 1.6 was released fixing both my and Moores bypass.

I gave it another try and after a couple of failures I came up with a method that still works. The extension will only store keystrokes entered on one page. So what I did is that on every keystroke I create a popup (with the already typed password still in the form field) and close the current window. The closing doesn't always work, I'm not sure why that's the case, this can probably be improved somehow. There's also some flickering in the tab bar. The password is passed via URL, this could also happen otherwise (converting that from GET to POST variable is left as an exercise to the reader). I'm also using PHP here to insert the variable into the form, this could be done in pure Javascript. Here's the code, still working with the latest version:

<script>
function rlt() {
window.open("https://test.hboeck.de/pw2/?val="+document.getElementById("pw").value);
self.close();
}
</script>
<form action="." method="POST">
<input type="text" name="pw" id="pw" onkeyup="rlt();" onfocus="this.value=this.value;" value="<?php
if (isset($_GET['val'])) echo $_GET['val'];
?>">
<input type="submit">
<script>
document.getElementById("pw").focus();
</script>

Honestly I have a lot of doubts if this whole approach is a good idea. There are just too many ways how this can be bypassed. I know that passwords and phishing are a big problem, I just doubt this is the right approach to tackle it.

One more thing: When I first tested this extension I was confused, because it didn't seem to work. What I didn't know is that this purely relies on keystrokes. That means when you copy-and-paste your password (e. g. from some textfile in a crypto container) then the extension will provide you no protection. At least to me this was very unexpected behaviour.

I'm actively participating in the OpenStreetMap project since about a week. Today I tagged two roads google maps doesn't know about (so at least in one very small part of the world osm is more accurate than google).
They're the Euro- and D-Mark street in Murrhardt. And yes, they invent stupid street names here.

Ich würde ja nie behaupten, mich in Geographie sonderlich gut auszukennen, aber ich war mir doch relativ sicher, dass die Pfalz nicht im Allgäu liegt.

Google Maps sieht das aber anders.

Google has the reputation to be free software-friendly. Without doubt they did a lot in the past, especially many Summer of Code-Projects, that developed essential features for free software projects.

That google is also willing to put legal threat on free software projects if they compete in their are, they recently showed against the project gaia. It was a project to have a replacement client for google earth (google's own client is proprietary). It was done by pure reverse engineering. The author took the project down after he received a letter from google.

It's quite questionable if gaia is doing anything illegal. They didn't use any data from google, they just provided another client for the service. In my opinion it's very important to fight for the right to reverse engineer. Many essential free software projects wouldn't exist if we couldn't reverse engineer. Just think of many hardware drivers, filesystem support, samba, many multimedia codecs, support for proprietary document formats (e. g. doc in OOo) and lot's more.

By the way, I took the freedom to host a copy of the latest gaia-version (and, as requested by some comments, the win32-patch for gaia). It's GPL, so everyone is free to continue the development.