Google Toolbar: Beware of Buttons

December 20th, 2007

by Roderick Ordoñez

The Google toolbar has found yet another use: as a possible malware vector. Researcher Aviv Raff has released a proof-of-concept (PoC) code, which demonstrates how an attacker may install malicious software or conduct phishing attacks by prompting the user to install a new Google toolbar button.

Affected Google toolbar versions are as follows:

Google Toolbar 5 beta for Internet Explorer
Google Toolbar 4 for Internet Explorer
Google Toolbar 4 for Firefox (partially)

The code makes use of a specially crafted link that refers to the button’s XML file, which when clicked displays a dialog box summarizing the details of the button to be installed. This dialog box also displays a URL of where the button is to be downloaded. Through manipulation, however, a malicious author could make it appear that the said URL is non-malicious by adding special redirector strings. This further increases the user’s trust in the button to be installed. If the toolbar does get installed, the user must manually click on the button to execute it, which in turn may run an installation script (which a user must approve to install) or a fake log-in console (for phishing purposes).

However, Google classifies the PoC as non-critical, due to the multitude of steps involved before a user does get infected. Nevertheless, the search giant has confirmed that it is currently looking for a fix to remedy the bug.

Google actually encourages the creation of custom buttons for its toolbar, and outlines the ease of creating one in their Web site, complete with API documentation. This ease-of-creation feature, coupled with Google’s large fanbase, opens up plenty of possibilities for its users, malware authors included.

For the meantime, users of Google toolbar are advised to refrain from adding new buttons.

Read More