Security researcher Aviv Raff has published a vulnerability affecting Google’s Toolbar browser feature. The weak spot Raff reported could let a hacker gain control of a user’s PC when the user tries to add a new Google Toolbar button.
The vulnerability is based on spoofing a trusted site that would normally provide a safe toolbar button — basically tricking the user into downloading malicious files that could then be used, for example, to conduct nefarious activities like phishing attacks that could target banking information.
Raff published the details on his Web site and notified Google, which is working on a fix.
Spoofing the Source
Google Toolbar provides an API (application programming interface) for creating toolbar buttons, Raff reported, and the button information is stored in an XML (extensible markup language) file. In order to add a button, the user would have to click on a link that refers to the button’s XML file.
The problem lies in the resulting dialog box that pops up, which supposedly shows the user where the button is being downloaded from, some information about the button, and privacy considerations. A hacker, however, can use an open redirector-based link to spoof the URL shown in the dialog box, making it seem, for example, that a button would be downloaded from Google.com, when in fact it would come from the hacker.
Finding the Vulnerability
“I actually didn’t use this toolbar for a long long time, way before there was a possibility to add new buttons, and I was curious about the new beta version,” Raff told TechNewsWorld. “I downloaded it and looked into this nice feature, which was new to me.”
There’s a couple of levels of work a hacker would have to go through to make this vulnerability pan out, such as getting a user to start downloading a button in the first place. That would likely have to come from a site or e-mail the user believed was safe.
“It is a good, effective way for attackers to gain their victim’s trust, but … there are other easier ways for attackers to gain access to their victim’s PC’s,” Raff noted.
Still, Google has a massive programming staff that basically lives for creating Web-based applications that should be rock-solid and secure. Is this a surprising hole?
“I wasn’t surprised,” Raff said. “Even Google can have bugs. My recommendation for the end user is to avoid adding new buttons until Google provides a fixed version of the toolbar.”
Raff also published a proof-of-concept example. The affected versions are Google Toolbar 5 beta for Internet Explorer, Google Toolbar 4 for Internet Explorer, and Google Toolbar 4 for Firefox. The Firefox version only allows for a partial URL spoof, however.