Google Toolbar Allows Phishing Attacks
Many bloggers love the Google toolbar because it shows that all-important green PageRank bar. Unfortunately, it seems that some of Google’s young, just-out-of-college, hot shot programmers got a little sloppy and left an exploit door wide open.
As usual, this exploit only affects the already security troubled Microsoft Internet Explorer and apparently not Firefox or other browsers. Google is working on fix but from looking at their toolbar page it’s not clear if a fix for the problem has been released. It doesn’t seem to be but you can bet the espresso machines are working overtime and the Wii systems are going untouched at one area of the Googleplex.
According to security blogger Aviv Raff the flaw is found in the code that the Google Toolbar uses to add new buttons to the browser. Because its security checks are lacking when a new button is installed this leaves the door open for a malware site, spoofing a legit site, to deliver a malicious payload through one of those infamous ’specially crafted links’. Raff’s site has proof of concept code if you want to dig into the details of it.
How the Attack Goes Down
Fortunately, the attack requires positive user interaction.
First, you have to go to a malware distribution site. If you’ve been reading Vic’s blog you know how easy it is to get someone to do that with a compelling bait-and-switch ad tactic.
Next, the user has to OK the installation of a custom button. However, the social engineering trick here is that it appears that the button is from a well known, legitimate, source.
Once the button is installed, the victim of the attack must click the button and agree to download and install an executable file that contains a malicious program.
Since the attack requires so many steps, it would require a user to be very trusting or very curious about the button. Therefore, most security experts have given the threat a low rating. However, it’s probably a good policy to not download addon buttons for the Google Toolbar until they release a fix for this flaw. Or, just don’t use IE unless you absolutely have to.
What are your thoughts on this? Leave me a comment and let me know.
Great article and this is the first I even heard about it. Just another reason why everyone should be using Firefox, especially people who don’t know why!
Hi Gabriella,
The attack does work in Firefox although the location of the attack can’t be spoofed like it can in IE.
I hope you aren’t using that highschoolmusicalringtones.org landing page with Google AdWords. They’ll probably kill you on the quality score. Promoting it using blog comments probably isn’t a good idea either.