Google Toolbar Dialog Spoofing Vulnerability

Google Toolbar allows spoofing the information presented in the dialog which is being displayed when adding a new Google Toolbar button. This can allow an attacker to convince the users that his button comes from a trusted domain. This button can then be used to download malicious files or conduct phishing attacks (e.g. show a login form of a bank).

Affected versions
Google Toolbar 5 beta for Internet Explorer
Google Toolbar 4 for Internet Explorer
Google Toolbar 4 for Firefox (partially)

Proof of Concept is available.

Workaround / Suggestion

Google have acknowledged this and are already working on a fix.
Until a fixed version is provided, I suggest to avoid adding new buttons to the toolbar.

Details at http://aviv.raffon.net/2007/12/18/GoogleToolbarDialogSpoofingVulnerability.aspx

Published Tuesday, December 18, 2007 9:49 PM by donna

Comments

Thursday, December 20, 2007 9:59 AM by Harry Waldron - Microsoft MVP Blog

# Google Toolbar - Custom Button Spoofing Vulnerability

A new proof-of-concept vulnerability has surfaced where malicious code can be triggered through a crafted

Thursday, December 20, 2007 10:00 AM by Harry Waldron - My IT Forums Blog

# Google Toolbar - Custom Button Spoofing Vulnerability

A new proof-of-concept vulnerability has surfaced where malicious code can be triggered through a crafted

Thursday, December 20, 2007 10:06 AM by harry

# re: Google Toolbar Dialog Spoofing Vulnerability

Some additional links can be found here to complement Donna's earlier warning on this new vulnerability:

msmvps.com/.../google-toolbar-custom-button-spoofing-vulnerability.aspx

Wednesday, December 26, 2007 7:45 AM by Internet Explorer 5 » Google Toolbar Dialog Spoofing Vulnerability

# Internet Explorer 5 » Google Toolbar Dialog Spoofing Vulnerability

Pingback from  Internet Explorer 5 » Google Toolbar Dialog Spoofing Vulnerability