-
Notifications
You must be signed in to change notification settings - Fork 20
Known blind spots
Tyler Butler edited this page Feb 2, 2021
·
3 revisions
- Bogus passwords: Each time the user enters a password in a enterprise website, a hashed password is stored locally, regardless of whether or not the password is actually a enterprise password. If, for example, a user mistakenly enters a personal password on a enterprise website, then later enters that personal password in the correct external website, a false positive alert would be generated.
- Altered configuration: If the configuration for the extension is altered, PhishCatch may not locally alert or send alerts to the PhishCatch server.
- First time use: PhishCatch relies on the enterprise password being entered. If a user has not logged into a enterprise site after installation, there are no stored hashes so no comparison will occur.
- Multiple browsers and incognito mode: PhishCatch will not see any activity other than the Chrome profile where it is installed. It is also not enabled in incognito mode by default, so users may be able to bypass reuse detection. However, if PhishCatch is manually set to be allowed in incognito mode, cached hashes are shared between the standard and incognito windows.
- Undetected websites: Due to variations in website configurations, there is no way to guarantee that passwords will be collected when they are entered on every website.
- Websites specifically designed to bypass PhishCatch: It is possible for an attacker to build a phishing page that evades PhishCatch's password form detection, among other controls. We intend to address bypass methods if PhishCatch achieves broad adoption.