Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Unpatched Google Toolbar Flaw Presents ID Theft Risk



 By: Ryan Naraine
2007-12-18
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A hacker finds a way to use a booby-trapped Web page to trick Google Toolbar users into adding malicious buttons to the browser.

A dialog spoofing vulnerability in the popular Google Toolbar could be exploited by malicious hackers to execute malicious files or launch identity theft attacks, according to a warning from security researcher Aviv Raff.

Raff, a well-known hacker who regularly finds and reports software vulnerabilities, figured out a way to use a booby-trapped Web page to trick Google Toolbar users into adding malicious buttons to the toolbar.

Resource Library:
In an IM interview with eWEEK, Raff said multiple versions of the toolbar allows spoofed information to be presented to the user when adding a new browser toolbar icon/button.

"This can allow an attacker to convince the users that his button comes from a trusted domain. This button can then be used to download malicious files or conduct phishing attacks," Raff said in an advisory.

eWEEK has confirmed the bug on the Google Toolbar 5 beta for Internet Explorer. Raff said the production version (Google Toolbar 4) for both Microsoft's Internet Explorer and the open-source Firefox browsers is also affected.

Google has been notified and is working on a fix, Raff said.

"An attacker can use this vulnerability to gain the victim's trust to add and use the button, and by that the victim will trust the files that the button offer, or enter private information. In the new beta version of the toolbar, it is also possible to alert the user every few seconds to click on the button," Raff said.

The researcher has released a proof-of-concept exploit to demonstrate how a specially rigged Web page can trick a user into believing third-party toolbar buttons are being downloaded from Google's domain.

In the absence of a fix, Raff suggested that Google Toolbar users avoid adding new buttons.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.



  Reader Comments: Unpatched Google Toolbar Flaw Presents ID Theft Risk
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}kS㸶j&sнytMat{V[I<8'ΗSOxגW&9jH,yIZZ/---}GggD]ݴ1p͙M55|zg`HRsgޅ-34 @oRQP ĠxnwݶN`P'~ > \?g3U;Y|LNZ]@ZSˆ辥{$)5< \g4"1lp2E9$7 \hyiVpA'ס,jO`U[۾xwgy@ffrt KJozcnć!LjZ L|:j/EӝF3l˸-:4 PS+}(Z}`[BUzEÝ5훟+UUew9*GA nkp[I^׵Sq9}r>?'7;A:;YHL~#@DJ V4MD&-āI^:GH5=(ǭ~WB-hZIArija[E4b‰EU}$N"?Zڗu&u}X6&ZiCA+WtWe`9=y\toz{MNڟ:gw:Rڟ+̊k*}k p6O|iuH54Y01\ \^Kj='6ǣ1)H|S: Yu'PZ,/ fRrZ~@X*,>Ja͢4-I` o$SE@;- u +:YK7BS_g]p a6F@Lt\ QCלش 6,%hJyOf4Ջ"}Yt"Fͩ8 (J"bN3 ɋE94>BzBp4A*&-`^i1[W <ۋJ!PIxZSx&z$tH h&rkI7.[A0? ; O`r]ɝ5E0ݻCi`y1yj =*~3`=w}   l߃5#~[-[Z6x O͙A }C|'s\(L7^ 2)%%E29 EEKi@$ $h-4`r.́lbo(HXVpD*M'8ݱ;P+JDV{TKh+K@f:32YIFMf X*ȉ#o"09X ,gZ Xk%Ƽ fj~iڛ,Â%Gn]ּG36I `آwBrPC;*::=熳a\9:<VM+}'tF~Gש ݜZ,'1!õB3}P˄FrT{g[,:rǸ%qМaM_ȣ~|ZÈIuO_N#iۖs7M ߄T +9v#\ē ry͚X 4ؐ9|ƓB77cnS^ʚ**#wT4tjz#Jݼ~h;h{q#%Aw =e河xOuYKnuo?յ݋pz9TKӺJj'/"ohm_EڠueLGe K-C IHf(XK+ezlxyD62Cin Px\{8`O=0\ReeZȄmmMj[ ʸAfJg ~c &*d ë?v=kOGn&ztgH~vP9g3?Q,C, P*}a5*403<`m1Lx>Hx# d\6V,'Ё*8tԳtgqq?_ZN®tْ/hvpڊ:Dۃh2f ÑeH׽IA̫UXOE}T5A<1D ȸla,riL*wڶ{>Qidݙ(yR+rf!9 ֐I8U1'\ ؕGQϗA,~lank 5!70MC LK=:>ئ4Q ( Mքk&.D:㼭 #XA\@/ aPHWkX tбթ6=,JI:NdzԘ>Q7Ϗ9(gh9d*>'HV/ЪZZ͎^=>YP2z4b&cоLk}YP~WsboY LjB&:GdHC+`NT:YGw=܁c2P?H(TZg7cMś]ac6U{zn&R)Z',Wvh\JW>67/=Od"9Eӏ6V"=_`sQl x@̬} u0m94c~y-0>Oi[LFbT~\3gbסڳn22󓫻玾_FpA JG}3O>Ǥ|m,,n1ya%[ŜQx` f|lh nz*Z-Yi$ {2 t9t=d}{c5Z8,*z)ϣDʌYeoQ Umq'.҂^ߵK]T1)V(&v}j;_I|SeȣV)+Y+T\U񋰷8C+`-XRj#D*"Go&ŏ[oȧurvOG~#W>U ˏPU*J5yVp8{Rn?mVVW`j-Y2ǽa n.E[& 4˷ʨKu-,sK"hJg؋_r[rn)ty4ņ5ѣ(4CrK{]w޺\8c̞ÒfFs,.ҞI"G: -e4Cnƭj}U]%T/IjYxn:0nȘُYD[x$tpM\&hClYj2a'A)pd]2~ܮW隿F=;o)rECR|{޽'y-{w[OjܨZ, Y#B[ȧͦ5fpRbA s 3^z0LQ}ikB*XK}͉B9ki*D|=t_5gDܠ,qv }g#s}eXL7$>T1r(`$X*XU2ӻ:o}Olgen/ m D78S*PW"2EH%iAFN' <"9hEщҎ"~YVST t~iџ.`m eIbQ+f+I'O{GH$y ?9/wbP!B48r 7{KP .Mu?Ro2MĔyk.NEm {6-~8 cdQ(S!t$-zbeQnKlx0eRȔ&=J8 z>SB&Դ5˓4-i^Eqj ieʒ~ j' ۡX#֛].7G8 (OMkzisy/Psa%3sgKeҊ Pk qbG-#*VZZFZ-Vyʏxi9: a!y]9 gEuX.gHUkN+tt,ZȍNڰq ;eΫPf|mv,KمN5W3lyRѵls2fucBAsS@ {c1Tuv0؁H.Er o5 & Omzcl3ȲÈǥ̷rt?K.}:﷯Is 09j~%H@2othCk7yEO>O4wX]{'NE Z7N{m,da}?H+Fis(!Z4vdLc!I )VԺ57`ʜ9%'+dxrt2ע(oP2QtIK JG3`̾qK7׷bc8wB'w5GGpSxw6{eQJW=q-@kjejRm`1 \]תʾjQsctߌ*Ie|{8Nd]K v-JYkH]Ý׃;LDxP :/ Nw2@}[X ۡ^Q 0,SJ=.Mr1Ο yuY–a3,gw[H&G TAgqkbuL1JvzGl+$|vT;ƒ17 ٤y#˵d\ICSy%Wޮ8WҦ mRA0%dlHƦ5I iJ.tEz6vυ|dkIU%My>͗Cڋk,D2憲hxǕ+E/J~/`TrOlDIKJ(e0!yi>'PhiS -8]IbZx79os*Zb &A6x4ܸVRUR+Ji3q HČ}txdZbylYNҙkadH H$ E9[!nn¶ԤIJuSj85u ]6教*R,R5:8-fFC}txjHSvCH0AB|qma67K,sIqɊ#Q ywwww{g+r|l"^I+E=.RǤT9Wmk0k@._y^=(MFX=3⌏ X?"٩.v|rJ QR Jz'`k捿Fk_x x|qǶcCm>Vc~17HBg:kzmFɪƮxœM) Dd1xdp RԦ~%^~>N"t< '!ռsNz;LHV:,gK-'D5s7(X$Oy Œ~=TB8J9hi> eT:u}Z6 i 2S5J(C8$819p؛[!;$vc^.ZwT`m`q9 wwNQ`3_gUDF``=Stu$ޥNFNaK6@7l^%J;\,L l_z$WmGg!nH/Myu7RwǂToZd -Utmv JRs6넵KX$D f L^Ѽb!6_:?wiG)))))}ҒZҪS[ ԊtF 3tE]1}@=2)?`U4pHU;::~uа؛۾]kk]`^bH@rG0 Kxh "D 6{p91m }G7 O[<\WݠyY!>`X)x1`-Tp0@"i@$ [#'˶hn—2[ހS7&rb:Q[ǛUZMۑ}=h)'ȋ ?mnXq-ʇ1;d/GH{4˫7=ދAU*cV} _g۳Y\s\W{yK ߁s:\ϜE 6gB8+Am𛷿c:%$;6_LHj~6}A+=V4 6 mX[`cXyy0m-mYѧS.ef{WҔZZ&2XwS~a݃f}{Yj|ubM4tF87?WF+┱faeO=%3%ebI5PDNStztowwv]gӿp sZ 7>kA~i//m~q\[L@Ukbw2/ -{8Sxz1Cv17FJ61ݜ\f0-~7~Ge9gGi=2݀wo*k+H#+so9Dz'hFe!;Ohl J\DF/ 3,M?C"leKͦ l1i6":&MMSW/G~RJ~~'2`M=u'<~'T&jqh!W:|&8-?~(pG/[I'Hr#E<[wDQޯ*F]{F9- Q 0~;>P-%8 YWS}qCvyLrza#ʵmq|EYfq."LY e9L ؁UĤA҂B<쒪wĨWmHHHWkq+#,kb֪Z"'"KIH ^X06hD]dbɤ3=^R_7T%~\sf61%Q>sjt#VS՜R<^gYJ z~b= añ*B 'UNz ԣ:BMwxWU"j%gx#-5נ)|9}fZbfģ Zkah;Xÿ́h;b=VںJqwz2Ko^;C'knVuC[wnWmĞܐmQNa]TXX>ѽgCBYLM'\\sjό\#aeI\lfm>ڊRo4Jv (ALO@99ݱ=X ѤQQ̏XJ1o1K}JFVOF6ވڳb CmU\S=@!K.&KZ|Ɍֲ:mFA&_cL~\cqU<11t#PγjNT\OpY}XC3 L^\}ĭRA+oS[ZSV_Dt_t[6hZ Gt MtW97aT0|L I|xUk{VyKb?{r h:QhTJu 7a|$w{̥7b?= {θ9yǃ""a=X@*>ndeH#]YUc `xL!f9'yo_*/(Bym!ƞ .?a,I cL/NρOI=Rd0wCE–$cb-!̆\nX\x:L$!i oF˞0Qݹ!?1! g@L-ǣaiAX#hBGH[1~cMNsxXҚm!ah\ߊΌ6"))ĴF#1Csy 1ӈ))Ơ%6Kš{Ss9zKqb2}! _% FKE,D "}fA=bAa~L­!R)Qw30^vofp0"(3[]ă0>]a~2?y :RL>zy 6t(QS=1U& g c7>R[7eID^~|NR] $Bq0Ӝhp6}B:߰|cm|?뽉e2'{xbRWkJ%zuweX zkwyUfU3{8~BOSr%+ %uV0`A i2bg4t\K -C#&a@}lF(DwnsLѺ:LNפENmx;\;Kr>)(lkEߢֳQQqi}uݹc^)<ƿd&SE`9,eIE)3S9lꌹ4W;ρWγ}QX\mIw`JT /!jb\ce؂/LNN۽ֆS~G>;eQc̑:jS#[}0j0CP܄qP b>^ Ȥou[@9?C9@/9P~)By7)pp)?姀|Pq}Y_?/1>Arߧ}}   Mu$!(oY NoR8G9B(^*Uy׀a uyS9@yJ͡*,cr\-*sҿw2~62A\wO aqʍz^S_xڞꖽpLڭe]9n@KG{1*,xW&  )htVydSrbye?VRRw;]Cڤ\j. {]r-Xѧ^5_9x=U26C{"c9|.y|8SNt7<1 }^Җ1 B8 vd{z*9.n #p+D>}.nm;yx#ֽ2b;w6 K췡\ţu.T+6:7q3[ #ňà8П}̙hZnamzםg4`/[烫և6{̦d󰡲iʪ)N(Ѵ~P+"D794\9GqbB]S[tDO_ NW镆.h ;cpö0A l(U˚VVk[*j f{DDL\R*R'Ӏe`_)&K<3 .=M^ed fMȡ!pCfJC#DK(x>[x)c6D|_,mBfH6T<'u~m'f\c /1G*o[KL!IU?I6ИYLCvs&Fdu#aqq%f~۵dmHvgYș=y G<'z FӕsX00wUW .-qAK5 X =cW ?cˤ IdP b2Oty'0BA<+?ibr]6M b ه%޿13{`yٻ l !f0'+xTb;`HIأ ^BOvB[0K b?94Ǟ”&D>x*$]vu$$}9= zLoTù(GCuhJ %x ol>eoE52FX]v vME\kτxsp{Ƃ)mød |A«E/=ׇ"cT =O9F\V2v,=GIkg_5 B3q< Y8-'rBzc{[/I)H(\dz\g;av {Bj;cK:#S3Q)jkA/?tI3۱x쥽%}Yq v.}f*Y/';@"o&!#R.ڐOF{_S aoil/y>ಁe":} S sogTÉt |!,ڎN-Gw U|ٲs9ebV)qmeGfӧZ-[@#5E`0v`ehD nخ;Oq^' 3>&rx{Ko^kSsL%:Ɛ9-S)0p,\ftO6A|gKo?[=ȾHJ B ϱɮx*xlg`SwDl .7(*O]F xWa!*e;6K)(Xp^'Al9i3w>E}2\Hxkyf#%S+~`[wt%(5x2;v͆LVe؋(| _b[0~X+mKbA<\n2?>%i3R}@ =( of4`y%K@4zWG5-E6<]܈x~{ݾŀ gkOUx.X=lۉR#nȅ-`jkDmYtẉA,O)h<˜4W6QĶqytc~ږ10#ŸrzsgdCuW.^3Ơ`{e75HR#zi!AC9Xqk @{k݄6L=L&j1Bi6e1}0-X+0V_kAkDeU|tCGYEL`&;]+ N*t&vж?gTH0H6c?tCf *$@˽ō]^g"a7:#/ah8`yb3Sq2JѬd;j g_yfOȅ^`\YG7^y{bg!˾tں>!M*`΢g/>!2T!6xvY`Eq{şu)h#/)ZN RzWtEg 6A|>Ðy6xL g UjT;IhdMn+:cSEᘸe=WFs(1{6J†mJPUN91VKi+^kЧTN&N⇅c>lgLt )2)v}mb-c6C-;'=*