Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in your inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
Go

A Bug in Google Toolbar Allows Inserting Malicious Buttons

Aviv Raff, a security researcher, warned that a flaw via dialog spoofing in the widely used Google Toolbar could allow malicious attackers to perform identity theft or execute malicious files. Eweek reported this on December 18, 2007.

Raff, also known for his hacking skills, regularly hunts and reports vulnerabilities in software. In his new experiment, he found out a method to exploit a booby-trapped page to make users of Google Toolbar insert harmful links onto their browser.

The vulnerability is in the method Google Toolbar employs to include new buttons to the toolbar. In the absence of adequate checks on it during installation of new buttons, an attacker could make the button appear as if it was a genuine download while actually it arrived from some malicious source. This way, the browser button source could enable a hacker to wage a phishing attack or to download harmful files.

Raff has published a proof-of-concept code to demonstrate how this kind of attack could take place in the popular Internet Explorer (IE) browser. A spokeswoman for Google confirmed on December 18, 2007 that security experts at the company were on the job to find a fix for the problem.

While answering to queries in an interview for eWEEK, Raff said that all the Toolbar's versions allow spoofed info to the surfer when creating a new icon on the user's browser.

Raff wrote in an advisory that such a mechanism could allow a hacker to make users believe that they are getting the button from a legitimate source. The advisory was published on AvivRaffOn.Net on December 18, 2007.

Independently practicing security researcher, Marc Maiffret, said that since the user passes through multiple stages before succumbing to the attack, the vulnerability isn't considered critical. PCWorld reported this on December 18, 2007. Maiffret said via IM that while the bug was interesting, it might be a threat, less severe than other flaws on IE. But Google has been sloppy to overlook such an obvious attack.

In November 2007, Raff had found another Google flaw that involved an error in web programming on the Google.com site.

Related article: A New "Blackmailing" Variant Creeps Around…

» SPAMfighter News - 01-01-2008

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next