If at first you don't succeed; call it version 1.0
Tuesday, 18 December 2007


Google Toolbar allows spoofing the information presented in the dialog which is being displayed when adding a new Google Toolbar button. This can allow an attacker to convince the users that his button comes from a trusted domain. This button can then be used to download malicious files or conduct phishing attacks (e.g. show a login form of a bank).

Affected versions

  • Google Toolbar 5 beta for Internet Explorer
  • Google Toolbar 4 for Internet Explorer
  • Google Toolbar 4 for Firefox (partially)

Technical details

Google Toolbar provides a nice API for creating toolbar buttons. Basically, the button information is stored in an XML file.

In order to add a button, the toolbar user must click on a specially crafted link which refers to the button's XML file. When the user click on the link, a dialog appears with all the following details: The domain where the button is being downloaded from, the name, description and icon of the button and some "privacy considerations", which basically shows the domains which the button interacts with (sends/receive information).

By creating a specially crafted URLs it is possible for an attacker to fake the domains displayed in the "Downloaded from" and "Privacy considerations" sections. This specially crafted URL can be created by simply adding an open redirector (e.g. in google.com - http://www.google.com/local_url?q=) before the URL.

An attacker can use this vulnerability to gain the victim's trust to add and use the button, and by that the victim will trust the files that the button offer, or enter private information. In the new beta version of the toolbar it is also possible to alert the user every few seconds to click on the button.

In the Firefox version of Google Toolbar it is only possible to fake the "Privacy considerations" section.


A proof-of-concept which adds a "critical update" button can be found here. Use it at your own risk, though it shouldn't do anything but suggest you to download gupdate.exe from my site, which is basically the windows calculator.

Workaround / Suggestion

Google have acknowledged this and are already working on a fix.
Until a fixed version is provided, I suggest to avoid adding new buttons to the toolbar.

Tuesday, 18 December 2007 15:13:29 UTC | Comments [1] | Security#
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.