Google Toolbar flaw opens door for phishers

Google is working to fix a flaw in Google Toolbar that could allow criminals to install unauthorized software on a victim's PC.

Google is working to fix a bug in the Google Toolbar that could allow criminals to steal data or install malicious software on a system, a security researcher warned Tuesday.

The flaw lies in the mechanism Google Toolbar uses to add new buttons on the browser. Because the toolbar does not perform adequate checks when new buttons are being installed, a hacker could make his button appear as though it was being downloaded from a legitimate site when in fact it came from somewhere else. By spoofing the origin of the toolbar button, an attacker could download malicious files or launch a phishing attack against the victim, wrote security researcher Aviv Raff in a blog post on the issue.

Raff has posted proof of concept code, showing how such an attack would work with the Internet Explorer browser. A Google spokeswoman confirmed Tuesday that the company is working to fix the problem.

The attack requires many steps. First, the victim would have to be tricked into clicking on a Web link that would then pop up a window asking the user if he wants to install a custom button on his toolbar. Because of the flaw, this alert could look like it was downloading the button from a legitimate site such as Google.com, even if it were not. Once the button was installed on the toolbar, the victim would then have to click on it, and finally agree to download and run an executable file for the malicious software to be installed.

Because the user would have to go through so many steps in order to fall victim to the attack, the bug isn't a critical one, said Marc Maiffret, an independent security researcher. "While it is interesting, it's probably a low threat compared to other flaws out there," he said via instant message.

Still, it was sloppy work on Google's part to miss such a simple attack, he said. "They should definitely assess how it slipped through the cracks," he said.

This is not the first obvious Google flaw that Raff has found. Last month, he showed how a simple Web programming error on the Google.com Web site could allow attackers to launch what's known as a cross-site scripting attack.

Because Google's programmers didn't properly check the HTML generated by the Google search engine, Raff was able to create a specially crafted Google link that, when clicked by the victim, would trick the browser into running unauthorized scripting code. This type of link could be used to steal the victim's Google account or conduct phishing attacks, Raff said

This error was fixed by Google just hours after Raff notified the company of the problem, but a demo of the flaw being exploited can be seen online.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?