Potential Google Toolbar Hack

Security analyst finds a flaw in the Google Toolbar that could let a hacker control a user’s computer.

Are you like many others, with a Google Toolbar added on to your browser? If so, you’d better be careful about adding buttons to it. According to a story on TechNewsWorld, a security researcher has found a vulnerability that could allow a hacker to get control of your PC if you add a button.

Google has an API that allows users to create toolbar buttons, with the information stored in an XML file. A user needs to use a link to the XML file to install it.

The problem, researcher Aviv Raff found, occurs after someone clicks on that link, which is supposed to give information about the button. But an astute hacker can throw in a spoof redirected link instead, so instead of the button coming from Google, it comes from the hacker and could contain malware.

Of course, people generally don’t randomly add buttons to a toolbar, so any hacker would probably need to prompt a user into doing that, either by e-mail or using another site – quite a convoluted process.

"It is a good, effective way for attackers to gain their victim’s trust, but … there are other easier ways for attackers to gain access to their victim’s PC’s," Raff told TechNewsWorld. He added that he wasn’t surprised to find the vulnerability. "Even Google can have bugs. My recommendation for the end user is to avoid adding new buttons until Google provides a fixed version of the toolbar."

Affected are Google Toolbar 5 beta for Internet Explorer, Google Toolbar 4 for Internet Explorer, and Google Toolbar 4 for Firefox. However, the Firefox version only allows a partial spoof.