A security researcher has discovered a rather sneaky new exploit involving the Google Toolbar, where hackers can pretend to be installing a legitimate Toolbar button item but they’re really installing malicious code.
Aviv Raff noted that the spoof presents legitimate-looking dialog boxes and windows to convince users that the button comes from a trusted domain. In his example, he showed what appeared to be a button for The New York Times being installed on the toolbar.
In reality, when the user clicks on the Times button on their toolbar, malicious code is then retrieved and installed on their computer without them knowing it. Raff found it affected Google Toolbar 5 beta for Internet Explorer, Google Toolbar 4 for IE and it partially affected Google Toolbar 4 for Firefox.
When contacted by InternetNews.com, a Google spokesperson would only say “Google takes the security of our users very seriously. We have been notified of this issue and are currently working on a fix.”
Paul Henry, vice president of technology evangelism for the security provider Secure Computing, said Google needs to do two things: stop anyone from spoofing the functionality of the application so it looks like a legitimate application, and make sure the button doesn’t download code.
“There’s no reason a button should cause an executable to be downloaded across the public Internet without operator intervention,” he said. “Perhaps we need signing for toolbar buttons.”
Henry said until Google issues a fix, “common sense is your best defense. Do not install any Google toolbar buttons from any site that you do not explicitly trust.”