Git Product home page Git Product logo

password-alert's Introduction

Password Alert

Password Alert helps detect and protect against phishing attacks. If you enter your Google password into anywhere other than accounts.google.com, you’ll receive an alert, so you can change your password if needed. Password Alert works like a spellchecker, comparing your keystrokes within the Chrome browser to your password to help you avoid mistakes. It doesn’t store your password or actual keystrokes, or send either to any remote system beyond your computer -- instead, it locally saves a fingerprint of your password, and compares that fingerprint to the fingerprint of what you’re typing.

Separately, Password Alert also tries to detect fake Google login pages to alert you before you’ve typed in your password. To do so, Password Alert checks the HTML of each page you visit to ascertain whether it appears to be impersonating a Google login page. Google for Work enterprises can configure it to protect their own custom single sign-on (SSO) pages.

The Chrome extension currently only protects Google accounts; other account passwords are not affected because the extension only compares your keystrokes to the stored fingerprint of your Google account password. The extension also does not operate in Incognito windows. When Google for Work administrators deploy Password Alert across all Chrome clients in their domains, the administrators can receive alerts when Password Alert triggers.

Install the Chrome extension from the Chrome Web Store to try it yourself.

To deploy it in your Google for Work enterprise, please follow the deployment guide.

If you'd like to build it from source, please see chrome/README.md for instructions to build the Chrome Extension.

password-alert's People

Contributors

adamjnichols avatar adhintz avatar blueandgold avatar creisman avatar gdbelvin avatar kombatmd avatar m0hamed avatar nikai3d avatar pyker avatar richo avatar sc00bz avatar semenko avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

password-alert's Issues

Should exclude tabs.executeScript() calls to file:/// URL tabs

Originally reported here: https://bugs.chromium.org/p/chromium/issues/detail?id=602141

It seems the extension tries to inject script into tabs with file:/// URLs, ends up getting denied and produces console errors.

Couple of examples:
1)
extensions::lastError:133 Unchecked runtime.lastError while running tabs.executeScript: Cannot access contents of url "file:///Users/.../Test%20HTML%20File.htm". Extension manifest must request permission to access this host.
2)
extensions::lastError:133 Unchecked runtime.lastError while running tabs.executeScript: The extensions gallery cannot be scripted.
at Object.callback (chrome-extension://noondiphcddnnabmjcihcjfbhfklnnep/background_compiled.js:38:330)

Exclude short domain names

Some internals systems we have prever the dns short/unqualified name. It would nice to be able to exclude them from sending alerts. We have a domain exclusion but it does not work for these even if the short name resolves to a fqdn in our domain through the dns client.

Suggestion: A different approach for secure login

Hi!
I want to suggest a different approach for secure login instead of playing cat and mouse by trying to mitigate a big set of attack vectors.

I suggest to replace all password fields on Google pages with a "Genuine Google Login"-Button. When the users clicks on this button, you can display a notification "This page is a Google page" which can possibly use a thumbnail of a unique "verification" image and display the password textbox with the verification image on the google page.

Unable to run install_deps

Hey there! I'm running into an issue with the do.sh install_deps command on a fresh clone of the project (I'm on a 2019 MBP):

$ ./do.sh install_deps

Installing build dependencies...
Cloning into 'closure-library'...
remote: Enumerating objects: 2403, done.
remote: Counting objects: 100% (2403/2403), done.
remote: Compressing objects: 100% (2163/2163), done.
remote: Total 2403 (delta 415), reused 449 (delta 220), pack-reused 0
Receiving objects: 100% (2403/2403), 6.43 MiB | 4.51 MiB/s, done.
Resolving deltas: 100% (415/415), done.
Cloning into 'closure-compiler'...
remote: Enumerating objects: 2122, done.
remote: Counting objects: 100% (2122/2122), done.
remote: Compressing objects: 100% (1692/1692), done.
remote: Total 2122 (delta 635), reused 739 (delta 376), pack-reused 0
Receiving objects: 100% (2122/2122), 4.89 MiB | 5.06 MiB/s, done.
Resolving deltas: 100% (635/635), done.
Buildfile: build.xml does not exist!
Build failed
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  303k  100  303k    0     0   638k      0 --:--:-- --:--:-- --:--:--  638k
Done.

I've narrowed it down to the shell script trying to run ant jar when building the closure-complier in this part of download-libs.sh:

# build closure compiler
if [ ! -f closure-compiler/build/compiler.jar ]; then
  cd closure-compiler
  ant jar
  cd ..
fi

...which spits out that Buildfile: build.xml does not exist! Build failed.

Are there any updated guidelines on installing the proper deps for this project?

Deployment Guide referenced in the README is from 2015

"To deploy it in your Google for Work enterprise, please follow the deployment guide."

This should probably say "G Suite" but also it should probably link to the newer doc from 2017 which is referenced here:

https://support.google.com/a/answer/6197480?hl=en

That link references a newer Deployment Guide here:

https://docs.google.com/document/d/1GfQAlwhPj3EdpVNE0F-2BwdIVhn6yEgKzoethawctXg/edit?usp=drive_web

However, that document is not accessible to me currently. Should it be made public?

The server config.py also references the old trusted tester documentation:

https://github.com/google/password-alert/blob/master/server/config.py

https://docs.google.com/document/d/1Rz5NLa4chL5LL1rOhbQRicFetSWeCFmQS8MM5CcP7VM/edit

which itself points to the old 2015 deployment guide.

Simple bypass of alert banner

This video shows the obvious approach to removing the warning via getElementById('warning_banner').remove();

This is a perpetual cat & mouse game -- so I'm not sure there are great options, but perhaps:

  • We could randomize the injected div ID
  • We could warn via a side-channel (e.g. chrome.notifications)
  • Something else?

Alert pop up when signing in with someone else's Gmail account

I logged in recently in a website in my computer with my sisters account and when I entered her credentials I received the Password Alert por up because her credentials for that website were the same as the ones for her Gmail account. The strange thing is that this happened while I was logged in with my chrome account.

By trying to login in some other website I became aware that this was her gmail password and I guess this was not meant to happen. It seems to me that this could be exploited to obtain passwords by not even attempting directly to login in Gmail.

Best regards,
Juan

Building the Extension

Following instructions to build the extension from source results in a couple of errors.

  1. ERROR - Duplicate input: lib/closure-library/closure/goog/deps.js
  2. background_compiled.js has an Uncaught ReferenceError: require is not defined.

Show banner and send alerts

It would be nice if we could configure the extension to show the banner when configured to also send alerts through the server.

403 Error when sending alert to server

Hi All,

We have implemented password alert for a small subset of users, however it doesn't show the alert screen when the user types in their password on a non-whitelisted page, and it also doesn't update the server. The console shows the below error after attempting to send the alert to the server:

POST https://########.appspot.com/report/password/ 403 (OK)
(anonymous function) @ background_compiled.js:50
target.(anonymous function) @ extensions::SafeBuiltins:19
safeCallbackApply @ extensions::sendRequest:21
handleResponse @ extensions::sendRequest:72

Any help would be greatly appreciated.

Thanks

admin app doesn't work

I just followed the deployment guide, but the deployed app wasn't working.
I manually deployed the index.yaml (didn't see this in the guide), and now the app runs but the page looks messed up and I get an error in the javascript console:

[Deprecation] HTML Imports is deprecated and will be removed in M73, around March 2019. Please use ES modules instead. See https://www.chromestatus.com/features/5144752345317376 for more details.
polymer.js:19 [Deprecation] Element.createShadowRoot is deprecated and will be removed in M73, around March 2019. Please use Element.attachShadow instead. See https://www.chromestatus.com/features/4507242028072960 for more details.
(anonymous) @ polymer.js:19
polymer.js:11709 [Deprecation] document.registerElement is deprecated and will be removed in M73, around March 2019. Please use window.customElements.define instead. See https://www.chromestatus.com/features/4642138092470272 for more details.
(anonymous) @ polymer.js:11709
polymer.js:10035 Uncaught DOMException: Failed to execute 'createShadowRoot' on 'Element': Shadow root cannot be created on a host which already hosts a shadow tree.
    at HTMLElement.shadowFromTemplate (https://password-monitor.appspot.com/bower_components/polymer/polymer.js:10035:25)
    at HTMLElement.parseDeclaration (https://password-monitor.appspot.com/bower_components/polymer/polymer.js:10007:25)
    at HTMLElement.parseDeclarations (https://password-monitor.appspot.com/bower_components/polymer/polymer.js:9988:28)
    at HTMLElement.makeElementReady (https://password-monitor.appspot.com/bower_components/polymer/polymer.js:9888:12)
    at HTMLElement.createdCallback (https://password-monitor.appspot.com/bower_components/polymer/polymer.js:9857:14)
    at HTMLElement.registerPrototype (https://password-monitor.appspot.com/bower_components/polymer/polymer.js:11301:28)
    at HTMLElement.register (https://password-monitor.appspot.com/bower_components/polymer/polymer.js:11129:12)
    at HTMLElement._register (https://password-monitor.appspot.com/bower_components/polymer/polymer.js:11637:12)
    at Object.flush (https://password-monitor.appspot.com/bower_components/polymer/polymer.js:11473:28)
    at Object.ready (https://password-monitor.appspot.com/bower_components/polymer/polymer.js:11488:12)
core-overlay.html:348 [Deprecation] /deep/ combinator is no longer supported in CSS dynamic profile.It is now effectively no-op, acting as if it were a descendant combinator. /deep/ combinator will be removed, and will be invalid at M65. You should remove it. See https://www.chromestatus.com/features/4964279606312960 for more details.

TypeError undefined for filter

Hi,

I have this extension installed and on every page I navigate to, I get the following error:

Error handling response: TypeError: Cannot read properties of undefined (reading 'filter') at chrome-extension://mkmaajnfmpmpebdcpfnjbkgaloeidlfa/content_script_compiled.js:26:310
I am on version 1.34 using a chromebook (with ChromeOS). Was able to confirm the same error on a macbook. Version 1.32 did not have the error.

500 error

clean deployment getting this error:

NeedIndexError: no matching index found. recommended index is: - kind: Report properties: - name: domain - name: date direction: desc The suggested index for this query is: - kind: Report properties: - name: domain - name: date direction: desc

at .__query_result_hook ( /base/alloc/tmpfs/dynamic_runtimes/python27g/cc067b9c2d6e36d/python27/python27_lib/versions/1/google/appengine/datastore/datastore_query.py:2945 )
at .get_result ( /base/alloc/tmpfs/dynamic_runtimes/python27g/cc067b9c2d6e36d/python27/python27_lib/versions/1/google/appengine/api/apiproxy_stub_map.py:615 )
at .next_batch ( /base/alloc/tmpfs/dynamic_runtimes/python27g/cc067b9c2d6e36d/python27/python27_lib/versions/1/google/appengine/datastore/datastore_query.py:3231 )
at .next ( /base/alloc/tmpfs/dynamic_runtimes/python27g/cc067b9c2d6e36d/python27/python27_lib/versions/1/google/appengine/datastore/datastore_query.py:3345 )
at .next ( /base/alloc/tmpfs/dynamic_runtimes/python27g/cc067b9c2d6e36d/python27/python27_lib/versions/1/google/appengine/ext/db/init.py:2328 )
at .fetch ( /base/alloc/tmpfs/dynamic_runtimes/python27g/cc067b9c2d6e36d/python27/python27_lib/versions/1/google/appengine/ext/db/init.py:2159 )
at .get ( /base/data/home/apps/siss-security-identity/20230825t133911.454457248439787500/admin.py:47 )
at .decorate ( /base/data/home/apps/s
iss-security-identity/20230825t133911.454457248439787500/auth.py:62 )

Bug: Corrupt manifest.json in Chrome Webstore

Expected Behavior

  1. Install Extension
  2. Restart Chrome
  3. Open SSO URL, type password, hit enter
  4. Observe Setting possible password for xxx in Extension logs

Actual Behavior

Fresh Install with SSO tab already open

  1. Open SSO URL
  2. Install Extension from webstore
  3. Observe: New install detected. Inject content scripts into all tabs. in the background page for the extension
  4. Type password, hit enter
  5. Observe Setting possible password for xxx, Saving password for: xxx in the extension background page.

Fresh install with SSO tab not already open

  1. Install Extension from webstore
  2. Restart Chrome (optional - tested with and without)
  3. Open SSO URL, type password, hit enter
  4. Nothing in Logs

Root Cause

On disk Google/Chrome/Profile 1/Extensions/noondiphcddnnabmjcihcjfbhfklnnep/1.27_0/manifest.json looks like it has a corrupted content script policy that could be preventing the extension from loading content_script_compiled.js on new page loads. It appears that <all_urls> from manifest.json has been replaced with \u003Call_urls>.

A similar issue has been reported on stackoverflow

{
   "author": {
      "email": "[email protected]"
   },
   "background": {
      "persistent": false,
      "scripts": [ "background_compiled.js" ]
   },
   "content_scripts": [ {
      "all_frames": true,
      "js": [ "content_script_compiled.js" ],
      "match_about_blank": true,
      "matches": [ "\u003Call_urls>" ],
      "run_at": "document_start"
   } ],
   "content_security_policy": "default-src 'none'; script-src 'self'; style-src 'self'; connect-src https://*",
   "default_locale": "en",
   "description": "__MSG_extension_description__",
   "icons": {
      "128": "icon128.png"
   },
   "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtWG8kCjgt1zCd6YJvHJZAMZqHVndSoz6DSQJ+5/6LF/qmXPtZnpbrfUwFhkAQ64kS27faNhahcRBWEAdUjUB6J4UV8fHWM1GaUlVyJLHDixtDNZ6mbpPReTndOl9y70f9KJnuFyztr4w06Zw3fAJAIO4K+sROlij+xDMoHk+ijFA+FtZM9z3J+c/xF6rjhBxAt+aFJuO8kxirh5AQLWSrgwcALebsGi7kbvPal/RykNL1dBz6bWb6MPpCzTsR+Hp1nMMB+t9bletjLGbr/KEGcSgKPrk9vL8GKebbs1/OG2J6xhy/tHk4W41R2WXR8rBB2iTif4WNboG85am+7BURwIDAQAB",
   "manifest_version": 2,
   "minimum_chrome_version": "46",
   "name": "__MSG_extension_name__",
   "oauth2": {
      "client_id": "897749729682-2j2fjtnfde4kgi40fvjrp7ude48ooh4n.apps.googleusercontent.com",
      "scopes": [ "email" ]
   },
   "permissions": [ "identity", "identity.email", "notifications", "storage", "tabs", "\u003Call_urls>" ],
   "storage": {
      "managed_schema": "managed_policy_schema.json"
   },
   "update_url": "https://clients2.google.com/service/update2/crx",
   "version": "1.27"
}

Doesn't play nicely with Google Apps domains with synced passwords

We use Google Apps to provide services for all of our users. We do not use single sign on, but instead use our provisioning system to manage the Google accounts and synchronise passwords to them. This means that all our Google Apps users use the same password to log in to Google as to our other enterprise systems. If our users install this extension, it informs them that they have compromised their account every time they log into our other enterprise systems.

The extension could do with a way of handling this situation. Maybe a domain should be allowed to block installation of the extension? Or is there any way of detecting usage of a Google Apps domain in this situation?

Can't see Password Alert logs on Chrome

I deployed Password Alert for a G Suite domain on App Engine alongside with the Chrome extension following Google guide (http://bit.ly/2Fk772O). Yet on the browser side, I couldn’t find the extension’s logs because it seems the background page link is not presented even in developer mode (chapters “View the thumbnail in Chrome’s local storage” & “View background page logs for the Password Alert Chrome extension” of Google procedure (http://bit.ly/2Fi64QK)). I Also do not see the javascript logs of chapter “View content script logs for the Password Alert Chrome extension”.

Do I have to change some parameter in the extension’s configuration to get the extension logs on the browser side or can I get these Logs somewhere else?.


Extension configuration file

{
"corp_email_domain": {
"Value": "@mydomain"
},

"corp_html": {
"Value": ["Primary",
"Primary SSO Page"]
},

"corp_html_tight": {
"Value": ["CHANGE ME <title>uniquely for your SSO page",
"CHANGE ME some more unique HTML from your SSO page here"]
},

"security_email_address": {
"Value": "testaccount@Mydomain"
},

"sso_form_selector": {
"Value": "#loginForm"
},

"sso_password_selector": {
"Value": "#loginForm #password"
},

"sso_url": {
"Value": "https://sso.example.com/"
},

"sso_username_selector": {
"Value": "#loginForm #username"
},

"whitelist_top_domains": {
"Value": []
},

"report_url": {
"Value": "myapp.appspot.com/report/"
},

"should_initialize_password": {
"Value": true
},

"domain_auth_secret": {
"Value": "abcdef"
}
}

Deployment guide inaccuracies

The UI of the Google Developer Console has been changed significantly enough that the screenshots are no longer accurate and I simply can't figure out how to do some steps.

Specifically, so far I was unable to figure out how to to the step called "Restrict authentication to your domain"

Also, Step 3 of "Create the App Engine service account" was inaccurate since the Consent Screen is now at APIs & Auth -> Credentials -> Credential Screen Tab. Step 5 was also confusing.

The Google Apps Admin console is also being changed and I got a message saying "This feature will be moving to the Google Developers Console by end of Aug 2015. Follow these instructions to get the new permissions you'll need." linking to here: https://cloud.google.com/docs/permissions-overview#h.bgs0oxofvnoo

At this point the UI is different, but still seems similar enough for me to muddle through, but it's not clear if it will let people continue to add apps in a similar way.

The OpenSSL binary link is also broken, it should probably point to https://www.openssl.org/community/binaries.html

It also seemed a bit odd that I was spending time configuring the OAuth2 config up front if it wasn't critical and the only instructions were some comments in config.py.

I'm still working through the whole process, but the rest seems like it's probably not affected by the new UI.

Password Alert Bypass using Unicode Encoding

The bypass works as the following:

If the page is encoded in Unicode, It won't be detected by Google Password Alert.
<script>document.write('Page in Unicode');</script>

Steps to Reproduce:
1- Download a login page.
$wget 'https://accounts.google.com/' -O detected.html
2- Encode the detected.html page in Unicode.
3- The page will be undetectable by Google Password Alert latest version.

Proof of Concept:
I have uploaded a proof of concept of a detected page and an undetected page.
https://www.dropbox.com/s/16gdg2a6ohwu0zs/google-password-alert-bypass.zip?dl=1

Sincerely,
Mazin Ahmed

Alert when the user has typed part of their password

JavaScript keystroke logging can mean that even if the user never submits the form (after seeing the alert), the evil site gets the password anyway. This is presumably why the addon suggests users change their password even if the form hasn't been submitted.

This issue could be avoided, in some cases at least, for users whose passwords are sufficiently long and sufficiently random, by storing a hash of the first half of the password instead of the entire thing, and warning immediately after the first half is typed. That way, the attacker could get half the password using keylogging - but half of a random password isn't the whole thing, and it means that an immediate attack couldn't be mounted, as the attacker would have to bruteforce the other half. That gives the user time to change their password without worry.

This wouldn't need any extra UI; you could analyse the user's Google password for entropy and length to decide whether to enable this mode.

iframe sandbox attribute allows evasion of extension

Minimalist PoC: https://cgs.wustl.edu/~semenko/phishing.html

Master frame:
<iframe src="phishing-input.html" sandbox="allow-forms">

Input frame:
<input type="password">

Note the console during input:

2015-05-12 17:21:07.698 phishing-input.html:1 Blocked script execution in 'https://cgs.wustl.edu/~semenko/phishing-input.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
2015-05-12 17:21:07.794 phishing-input.html:1 Blocked script execution in 'https://cgs.wustl.edu/~semenko/phishing-input.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
2015-05-12 17:21:07.874 phishing-input.html:1 Blocked script execution in 'https://cgs.wustl.edu/~semenko/phishing-input.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

Multiple issues deploying server app into AppEngine

Trying to deploy the password-alert server into a new GCP Project and I'm running into some trouble.

The first issue I ran into was the app.yaml, which gcloud app deploy complained about, so I changed:

application: broad-password-alert
version: 1

to

# application: broad-password-alert
# version: 1

and then I was able to deploy the app.

Once it was deployed. I tried to access it and got the error:

ImportError: No module named apiclient.discovery

I tried to fix this by installing the gcloud-api-python-client into a newly created lib directory in the server directory like this:

mkdir lib/
pip install -t lib/ google-api-python-client

I also created an appengine_config.py with the following:

from google.appengine.ext import vendor

# Add any libraries install in the "lib" folder.
vendor.add('lib')

and then I redeployed the app with gcloud app deploy.

Then I ran into the issue:

ImportError: cannot import name appengine

At this point I'm wondering if there is an older version of google-api-python-client I should be using, or if there are newer docs that show how to deploy this successfully so I don't have to modify the code too much?

"Sign in" button fails to create tab when no window open

OS: Chrome
Version: 46.0.2490.71

After signing into Chrome OS, if no browser windows are open, clicking the "Sign in" button in the Password Alert notification doesn't do anything. From the background page:

Unchecked runtime.lastError while running tabs.create: No current window
    at a.initialize_password_notification.a (chrome-extension://noondiphcddnnabmjcihcjfbhfklnnep/background_compiled.js:39:417)reportIfUnchecked @ extensions::lastError:133

Traceback when visiting localhost:8080

I just got this traceback from Password Alert while viewing a local URL in Canary. It doesn't happen when I reload the page, but thought you might want to see it anyway.

Error in event handler for (unknown): SyntaxError: Unexpected token u
    at X (chrome-extension://noondiphcddnnabmjcihcjfbhfklnnep/content_script_compiled.js:24:161)
    at chrome-extension://noondiphcddnnabmjcihcjfbhfklnnep/content_script_compiled.js:24:131handler @ extensions::uncaught_exception_handler:8(anonymous function) @ extensions::uncaught_exception_handler:100EventImpl.dispatch_ @ extensions::event_bindings:376EventImpl.dispatch @ extensions::event_bindings:393target.(anonymous function) @ extensions::SafeBuiltins:19publicClass.(anonymous function) @ extensions::utils:94dispatchOnDisconnect @ extensions::messaging:306

Is Allowed Hosts still functional on https://work.google.com/passwordalert ?

We set this up many years ago - apologies - we still get reports time to time for users, and the reports direct us to: https://work.google.com/passwordalert (which successfully shows history)

Does anyone know if that site is still functional for whitelisting sites?
We see this at the bottom:

Sites that you have allowed to bypass Password Alert will show up here . To add a domain, search for it from the Password Alert homepage and change its status to “Allow”.

When we go to https://work.google.com/passwordalert/hosts there is no option for "allow".

I'm wondering if the site is grandfathered and that we have to host something separate? Trying to avoid that if possible. Thanks!

help ?

{"message": "\u0418\u0437\u0447\u0430\u043a\u0430\u0439\u0442\u0435 \u043d\u044f\u043a\u043e\u043b\u043a\u043e \u043c\u0438\u043d\u0443\u0442\u0438, \u043f\u0440\u0435\u0434\u0438 \u0434\u0430 \u043f\u0440\u043e\u0431\u0432\u0430\u0442\u0435 \u043e\u0442\u043d\u043e\u0432\u043e.", "status": "fail"}

Removing a managed policy throws an error (& isn't reflected until extension reload)

  1. Deploy a managed policy
  2. Remove the policy
  3. Error:
background_compiled.js:625 Handling changed policies.
extensions::uncaught_exception_handler:8 Error in event handler for storage.onChanged: TypeError: Cannot read property 'replace' of undefined
    at chrome-extension://noondiphcddnnabmjcihcjfbhfklnnep/background_compiled.js:53:254

Expanded, that's the line below:

chrome.storage.onChanged.addListener(function(a, b) {
    if ("managed" == b) {
        console.log("Handling changed policies.");
        for (var c in a) {
            K || (K = !0,
            console.log("Enterprise mode via updated managed policy."));
            var d = a[c].newValue;
            switch (c) {
            case "corp_email_domain":
                F = d.replace(/@/g, "").toLowerCase();   <<<<************
                break;
            case "display_user_alert":
                L = d;
                break;
            case "report_url":
                A = d;
                break;
            case "should_initialize_password":
                C = d;
                break;
            case "domain_auth_secret":
                M = d
            }
        }
    }
});

FEATURE REQUEST - Firefox extension

Hi. Any chance this extension be ported to Firefox? Thanks!

Ps: I know it would be tricky, but if you could also port it to Safari, that would be great!

Tests can't be run.

Tests for background.js and content_script.js are broken because resources aren't found from incorrect paths.

Bypassing Google's Password-Alert Anti-Phishing Protection w/o Javascript

Line 23-28 (content_script_compiled.js) contains an detection for "gaia_loginform":

(a = document.getElementById("gaia_loginform")) && document.getElementById("Email") && a.addEventListener("submit", aa, !0))) : (!W() && ba() && (console.log("Detected possible phishing page."),
                chrome.runtime.sendMessage({
                    action: "looksLikeGoogle",
                    url: Q,
                    referer: document.referrer.toString()
                }), X(U, ca())), chrome.runtime.sendMessage({
                action: "savePossiblePassword"
}));

Which with slightly code-changes like:

<form novalidate="" method="post" action="https://accounts.google.com/ServiceLoginAuth" id="gaia_loginfom_bypass">

(gaia_loginfom -> gaia_loginfom_bypass)

will bypass the detection script for Google-pages and no warning nor password-reset function will be thrown at the user at all.

Proof-of-concept URL:

Screenshot
Screenshot

Video
https://www.youtube.com/watch?v=nD-u0AnwwZU (YouTube)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.