Unpatched Google Toolbar Flaw Presents ID Theft Risk

A hacker finds a way to use a booby-trapped Web page to trick Google Toolbar users into adding malicious buttons to the browser.

A dialog spoofing vulnerability in the popular Google Toolbar could be exploited by malicious hackers to execute malicious files or launch identity theft attacks, according to a warning from security researcher Aviv Raff.

Raff, a well-known hacker who regularly finds and reports software vulnerabilities, figured out a way to use a booby-trapped Web page to trick Google Toolbar users into adding malicious buttons to the toolbar.

In an IM interview with eWEEK, Raff said multiple versions of the toolbar allows spoofed information to be presented to the user when adding a new browser toolbar icon/button.

"This can allow an attacker to convince the users that his button comes from a trusted domain. This button can then be used to download malicious files or conduct phishing attacks," Raff said in an advisory.</ p>

eWEEK has confirmed the bug on the Google Toolbar 5 beta for Internet Explorer. Raff said the production version (Google Toolbar 4) for both Microsoft's Internet Explorer and the open-source Firefox browsers is also affected.

Google has been notified and is working on a fix, Raff said.

"An attacker can use this vulnerability to gain the victim's trust to add and use the button, and by that the victim will trust the files that the button offer, or enter private information. In the new beta version of the toolbar, it is also possible to alert the user every few seconds to click on the button," Raff said.

The researcher has released a proof-of-concept exploit to demonstrate how a specially rigged Web page can trick a user into believing third-party toolbar buttons are being downloaded from Google's domain.

In the absence of a fix, Raff suggested that Google Toolbar users avoid adding new buttons.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.