DISCLAIMER: Logging other people's keystrokes or breaking
into other people's computer without their permission can
be considered illegal by the courts of many countries.
The monitoring software reviewed here is ONLY for authorized
system administrators and/or owners of computers.
We assume no liability and are not responsible for any misuse
or damage caused by the keylogging software. The end user of
this software is obliged to obey all applicable local, state,
federal and other laws in his country of residence.
December 19th, 2007
Google Toolbar flaw opens door for phishers
Google is working to fix a bug in the Google Toolbar that could allow criminals to steal data or install malicious software on a system, a security researcher warned Tuesday.
The flaw lies in the mechanism Google Toolbar uses to add new buttons on the browser. Because the toolbar does not perform adequate checks when new buttons are being installed, a hacker could make his button appear as though it was being downloaded from a legitimate site when in fact it came from somewhere else. By spoofing the origin of the toolbar button, an attacker could download malicious files or launch a phishing attack against the victim, wrote security researcher Aviv Raff in a blog post on the issue.
Raff has posted proof of concept code, showing how such an attack would work with the Internet Explorer browser. A Google spokeswoman confirmed Tuesday that the company is working to fix the problem.
The attack requires many steps. First, the victim would have to be tricked into clicking on a Web link that would then pop up a window asking the user if he wants to install a custom button on his toolbar. Because of the flaw, this alert could look like it was downloading the button from a legitimate site, such as Google.com, even if it were not. Once the button was installed on the toolbar, the victim would then have to click on it and, finally, agree to download and run an executable file for the malicious software to be installed.
Because the user would have to go through so many steps in order to fall victim to the attack, the bug isn't a critical one, said Marc Maiffret, an independent security researcher. ‘While it is interesting, it's probably a low threat compared to other flaws out there,’ he said.
Still, it was sloppy work on Google's part to miss such a simple attack, he said. ‘They should definitely assess how it slipped through the cracks,’ he said.
This is not the first obvious Google flaw that Raff has found. Last month, he showed how a simple Web programming error on the Google.com Web site could allow attackers to launch what's known as a cross-site scripting attack.
Because Google's programmers didn't properly check the HTML generated by the Google search engine, Raff was able to create a specially crafted Google link that, when clicked by the victim, would trick the browser into running unauthorized scripting code. This type of link could be used to steal the victim's Google account or conduct phishing attacks, Raff said
This error was fixed by Google just hours after Raff notified the company of the problem, but a demo of the flaw being exploited can be seen online.
Source: INFOWORLD
All news for December, 2008
All news for 2008 year
All news for 2007 year
All news for 2006 year
All news for 2005 year
All news for 2004 year
DONATION: Keylogger.org is an independent research
project supported by a team of enthusiasts. If you find this
project useful or would like to help foster its continued
development please consider making a donation using PayPal`s
online secure payment service. A PayPal account is not required.
All major credit cards are accepted (MasterCard/Eurocard,
Visa/Delta/Electron, American Express, Switch/Maestro, Solo).
Simply click the button below.
Any amount would be useful and appreciated!
Thanks in advance for your support!
|
