At work we have experienced a problem with Google’s Predictive Phishing Protection, as described by Google on their security blog.
If you type one of your protected passwords (this could be a password you stored in Chrome’s password manager, or the Google Account password you used to sign in to Chrome) into an unusual site, Chrome classifies this as a potentially dangerous event.
In such a scenario, Chrome checks the site against a list on your computer of thousands of popular websites that are known to be safe. If the website is not on the safe-list, Chrome checks the URL with Google […]. If this check determines that the site is indeed suspicious or malicious, Chrome will immediately show you a warning […]
What happens is that a user will have reused a password. Yes, users shouldn’t do that. Yes, users do that. It could also happen if the user has used their email address as a username on some site, which is not only common but many places required. The user has chosen to store their password in Chrome’s password manager.
Then that user goes to our corporate intranet which includes a web-based interface to the ERP. If the username and password there matches those stored for some other site, or if they want a report sent to their email address, Chrome immediately issues a very serious warning and changes the site status from secure to dangerous (!). Not just unsafe, dangerous.
It happens because Google doesn’t know about our intranet and we definitely don’t want them to access the intranet to validate it.
Unfortunately it is the user that is presented with this message and they have little choice but to believe the message they are seeing.
Our current work-around is only to go the Chrome Autofill list and remove the passwords and/or email addresses from those other sites, which removes the problem for our site.