Welcome | Sign In
TechNewsWorld.com
Exploits & Vulnerabilities

Security Specialist Spots Source Spoof Vulnerability in Google Toolbar

Print Version
E-Mail Article
Reprints
Security Specialist Spots Source Spoof Vulnerability in Google Toolbar

Security researcher Aviv Raff has spotted a security hole in Google's Toolbar browser utility. The trick lies in a hacker spoofing a URL in a dialog box that pops up once an unsuspecting user wishes to download a new toolbar button. The URL may indicate the download comes from a trusted source, but the actual source of the data may be a hacker, and the application may be far from what was advertised.


eMarketer Whitepaper: Optimizing the E-Commerce Experience
From the Web to the Contact Center, are you prepared to proactively engage and keep your savvy customers? Read how e-commerce leaders are optimizing their sites with ratings, reviews, live help, Web analytics, mobile and more.

Security researcher Aviv Raff has published a vulnerability affecting Google's (Nasdaq: GOOG) Toolbar browser feature. The weak spot Raff reported could let a hacker gain control of a user's PC when the user tries to add a new Google Toolbar button.

The vulnerability is based on spoofing a trusted site that would normally provide a safe toolbar button -- basically tricking the user into downloading malicious files that could then be used, for example, to conduct nefarious activities like phishing attacks that could target banking information.

Raff published the details on his Web site and notified Google, which is working on a fix.

Spoofing the Source

Google Toolbar provides an API (application programming interface) for creating toolbar buttons, Raff reported, and the button information is stored in an XML (extensible markup language) file. In order to add a button, the user would have to click on a link that refers to the button's XML file.

The problem lies in the resulting dialog box that pops up, which supposedly shows the user where the button is being downloaded from, some information about the button, and privacy considerations. A hacker, however, can use an open redirector-based link to spoof the URL shown in the dialog box, making it seem, for example, that a button would be downloaded from Google.com, when in fact it would come from the hacker.

Finding the Vulnerability

"I actually didn't use this toolbar for a long long time, way before there was a possibility to add new buttons, and I was curious about the new beta version," Raff told TechNewsWorld. "I downloaded it and looked into this nice feature, which was new to me."

There's a couple of levels of work a hacker would have to go through to make this vulnerability pan out, such as getting a user to start downloading a button in the first place. That would likely have to come from a site or e-mail Increase Customer Sales with Email Marketing -- Free Trial from VerticalResponse the user believed was safe.

"It is a good, effective way for attackers to gain their victim's trust, but ... there are other easier ways for attackers to gain access to their victim's PC's," Raff noted.

Still, Google has a massive programming staff that basically lives for creating Web-based applications that should be rock-solid and secure. Is this a surprising hole?

"I wasn't surprised," Raff said. "Even Google can have bugs. My recommendation for the end user is to avoid adding new buttons until Google provides a fixed version of the toolbar."

Raff also published a proof-of-concept example. The affected versions are Google Toolbar 5 beta for Internet Explorer, Google Toolbar 4 for Internet Explorer, and Google Toolbar 4 for Firefox. The Firefox version only allows for a partial URL spoof, however.


Print Version E-Mail Article Reprints More by Chris Maxcer


More by Chris Maxcer

The Gphone That Could Catch My Eye
November 20, 2009
Rumors are cropping up that Google is preparing to sell its own Gphone -- an Android handset using Google-branded hardware. There are some reasons to doubt it will happen, of course, but the possibility is intriguing. What would Google have to build to make something worthy of an iPhone fan's attention?
Apple's House Rules Won't Be the Death of App Development
November 13, 2009
Facebook's iPhone app is one of the most popular wares the App Store has ever carried. But its developer, Joe Hewitt, says he's through with it, stating that Apple's review policies are starting a bad precedent for other platforms. However, good apps from talented developers will always find platforms, and Apple's policies won't prevent that from happening. They may even help.
Let's Give the iPhone Hackers a Big Round of Applause
November 06, 2009
It's safe to say most Apple customers are satisfied living in the walled-off ecosystem that the company has created for products like the iPhone. Still, it's good to know that it is possible -- and relatively easy, even -- to bust through those walls if one should ever want to. The work of iPhone hackers is appreciated even by those who've never felt the jailbreak itch.
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]
Shortcuts
ECT News Network Information
Reader Services
Corporate
ECT News Network