Google Toolbar flaw opens door for phishers

Google is working to fix a flaw in Google Toolbar that could allow criminals to install unauthorized software on a victim's PC.

Google is working to fix a bug in the Google Toolbar that could allow criminals to steal data or install malicious software on a system, a security researcher warned Tuesday.

The flaw lies in the mechanism Google Toolbar uses to add new buttons on the browser. Because the toolbar does not perform adequate checks when new buttons are being installed, a hacker could make his button appear as though it was being downloaded from a legitimate site when in fact it came from somewhere else. By spoofing the origin of the toolbar button, an attacker could download malicious files or launch a phishing attack against the victim, wrote security researcher Aviv Raff in a blog post on the issue.

Raff has posted proof of concept code, showing how such an attack would work with the Internet Explorer browser. A Google spokeswoman confirmed Tuesday that the company is working to fix the problem.

The attack requires many steps. First, the victim would have to be tricked into clicking on a Web link that would then pop up a window asking the user if he wants to install a custom button on his toolbar. Because of the flaw, this alert could look like it was downloading the button from a legitimate site such as Google.com, even if it were not. Once the button was installed on the toolbar, the victim would then have to click on it, and finally agree to download and run an executable file for the malicious software to be installed.

Because the user would have to go through so many steps in order to fall victim to the attack, the bug isn't a critical one, said Marc Maiffret, an independent security researcher. "While it is interesting, it's probably a low threat compared to other flaws out there," he said via instant message.

Still, it was sloppy work on Google's part to miss such a simple attack, he said. "They should definitely assess how it slipped through the cracks," he said.

This is not the first obvious Google flaw that Raff has found. Last month, he showed how a simple Web programming error on the Google.com Web site could allow attackers to launch what's known as a cross-site scripting attack.

Because Google's programmers didn't properly check the HTML generated by the Google search engine, Raff was able to create a specially crafted Google link that, when clicked by the victim, would trick the browser into running unauthorized scripting code. This type of link could be used to steal the victim's Google account or conduct phishing attacks, Raff said

This error was fixed by Google just hours after Raff notified the company of the problem, but a demo of the flaw being exploited can be seen online.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?