Google has fixed a flaw in its new Password Alert system that would allow cyber fraudsters to bypass the security measure with just seven lines of code.
The flaw was revealed Thursday by security researcher Paul Moore of U.K.-based Unity Group, who said the program’s basic vulnerability “beggars belief.”
{mosads}”The suggestion that it offers any real level of protection is laughable,” Moore told Ars Technica.
The Password Alert feature is an extension in Google’s Chrome browser that urges users to reset their Google password if they accidentally type it into a fraudulent copycat login page.
Fraudsters are creating websites that look like Google’s login screen in order to trick users into handing over their passwords, a process known as phishing.
The anti-fraud feature was not as secure as Google developers hoped, however. Moore demonstrated the weakness during a 21-second YouTube video posted Thursday, which now has more than 6,000 views.
“In short, anyone looking to launch a phishing attack against a Google account simply needs to add those seven lines to render the Password Alert protection useless,” Moore told Forbes. “It’s an embarrassment, really.”
He followed up on Friday by revealing yet another flaw in the latest patched update of Password Alert.