[pwman]

Yes, we're pushing the notification to a new tab (which can't be blocked or interfered with) once it goes through QA -- likely early next week.

Also even multifactor now must be new location verified so the ability to exploit this is now extremely low. Any attempt utilize those credentials will be blocked an email will be generated just like what happened in the non-multifactor case.

Hopefully you've gained enough attention for the chrome issue: https://code.google.com/p/chromium/issues/detail?id=453093 to be implemented sooner rather than later, if you could do me a favor and follow it to keep the pressure on Google to help mitigate phishing risk we'd appreciate it.

[DrewHintz]

> Yes, we're pushing the notification to a new tab (which can't be blocked or interfered with)

We went through a similar iteration with Password Alert. If you're setting focus on the new tab, an onBlur event could indicate that the current page has lost focus, perhaps due to the warning tab. I think notifying the user is still net-positive for the user's security.

[pwman]

Interesting, I hadn't heard of Password Alert -- we should definitely share notes if you're open to it -- I'd love to be able to generalize what we're doing to other domains if we could -- it's unfortunately cpu intense how we're doing it.

[DrewHintz]

Sure thing, I'm happy to help. Our code is at https://github.com/google/password-alert and feel free to email me any questions at drew@overt.org

However we haven't published a good design document about the client. If you're interested, let me know and I'll try to publish one.