A Bug in Google Toolbar Allows Inserting Malicious Buttons
Aviv Raff, a security researcher, warned that a flaw via dialog spoofing in the widely used Google Toolbar could allow malicious attackers to perform identity theft or execute malicious files. Eweek reported this on December 18, 2007.
Raff, also known for his hacking skills, regularly hunts and reports vulnerabilities in software. In his new experiment, he found out a method to exploit a booby-trapped page to make users of Google Toolbar insert harmful links onto their browser.
The vulnerability is in the method Google Toolbar employs to include new buttons to the toolbar. In the absence of adequate checks on it during installation of new buttons, an attacker could make the button appear as if it was a genuine download while actually it arrived from some malicious source. This way, the browser button source could enable a hacker to wage a phishing attack or to download harmful files.
Raff has published a proof-of-concept code to demonstrate how this kind of attack could take place in the popular Internet Explorer (IE) browser. A spokeswoman for Google confirmed on December 18, 2007 that security experts at the company were on the job to find a fix for the problem.
While answering to queries in an interview for eWEEK, Raff said that all the Toolbar's versions allow spoofed info to the surfer when creating a new icon on the user's browser.
Raff wrote in an advisory that such a mechanism could allow a hacker to make users believe that they are getting the button from a legitimate source. The advisory was published on AvivRaffOn.Net on December 18, 2007.
Independently practicing security researcher, Marc Maiffret, said that since the user passes through multiple stages before succumbing to the attack, the vulnerability isn't considered critical. PCWorld reported this on December 18, 2007. Maiffret said via IM that while the bug was interesting, it might be a threat, less severe than other flaws on IE. But Google has been sloppy to overlook such an obvious attack.
In November 2007, Raff had found another Google flaw that involved an error in web programming on the Google.com site.
Related article: A New "Blackmailing" Variant Creeps Around…
» SPAMfighter News - 01-01-2008