Forum latest

Google Toolbar flaw opens door for phishers
General
Written by Daniel   
Wednesday, 19 December 2007 10:57

 
Google is already at work trying to patch the flaw, which could allow criminals to steal data or install malicious software on a system

By Robert McMillan, IDG News Service
December 18, 2007, InfoWorld

Google is working to fix a bug in the Google Toolbar that could allow criminals to steal data or install malicious software on a system, a security researcher warned Tuesday.

 The flaw lies in the mechanism Google Toolbar uses to add new buttons on the browser. Because the toolbar does not perform adequate checks when new buttons are being installed, a hacker could make his button appear as though it was being downloaded from a legitimate site when in fact it came from somewhere else.

 

By spoofing the origin of the toolbar button, an attacker could download malicious files or launch a phishing attack against the victim, wrote security researcher Aviv Raff in a blog post on the issue.

Raff has posted proof of concept code, showing how such an attack would work with the Internet Explorer browser. A Google spokeswoman confirmed Tuesday that the company is working to fix the problem.

The attack requires many steps. First, the victim would have to be tricked into clicking on a Web link that would then pop up a window asking the user if he wants to install a custom button on his toolbar. Because of the flaw, this alert could look like it was downloading the button from a legitimate site, such as Google.com, even if it were not. Once the button was installed on the toolbar, the victim would then have to click on it and, finally, agree to download and run an executable file for the malicious software to be installed.... More    Comment in the Forums

 

See also

None found.


Hardware | Windows | Linux | Security | Mobile Devices | Gaming
Tech Business | Editorial | General News | folding@home

Forum | Download Files

Copyright ©2001 - 2012, AOA Forums.  All rights reserved.

Alliance of Overclocking Arts

Links monetized by VigLink

Don't Click Here Don't Click Here Either