Google Toolbar flaw opens door for phishers

Google is working to fix a flaw in Google Toolbar that could allow criminals to install unauthorized software on a victim's PC.

Google is working to fix a bug in the Google Toolbar that could allow criminals to steal data or install malicious software on a system, a security researcher warned Tuesday.

The flaw lies in the mechanism Google Toolbar uses to add new buttons on the browser. Because the toolbar does not perform adequate checks when new buttons are being installed, a hacker could make his button appear as though it was being downloaded from a legitimate site when in fact it came from somewhere else. By spoofing the origin of the toolbar button, an attacker could download malicious files or launch a phishing attack against the victim, wrote security researcher Aviv Raff in a blog post on the issue.

Raff has posted proof of concept code, showing how such an attack would work with the Internet Explorer browser. A Google spokeswoman confirmed Tuesday that the company is working to fix the problem.

The attack requires many steps. First, the victim would have to be tricked into clicking on a Web link that would then pop up a window asking the user if he wants to install a custom button on his toolbar. Because of the flaw, this alert could look like it was downloading the button from a legitimate site such as Google.com, even if it were not. Once the button was installed on the toolbar, the victim would then have to click on it, and finally agree to download and run an executable file for the malicious software to be installed.

Because the user would have to go through so many steps in order to fall victim to the attack, the bug isn't a critical one, said Marc Maiffret, an independent security researcher. "While it is interesting, it's probably a low threat compared to other flaws out there," he said via instant message.

Still, it was sloppy work on Google's part to miss such a simple attack, he said. "They should definitely assess how it slipped through the cracks," he said.

This is not the first obvious Google flaw that Raff has found. Last month, he showed how a simple Web programming error on the Google.com Web site could allow attackers to launch what's known as a cross-site scripting attack.

Because Google's programmers didn't properly check the HTML generated by the Google search engine, Raff was able to create a specially crafted Google link that, when clicked by the victim, would trick the browser into running unauthorized scripting code. This type of link could be used to steal the victim's Google account or conduct phishing attacks, Raff said

This error was fixed by Google just hours after Raff notified the company of the problem, but a demo of the flaw being exploited can be seen online.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?