By Andy Patrizio

A security researcher has discovered a rather sneaky new exploit involving the Google Toolbar, where hackers can pretend to be installing a legitimate Toolbar button item but they're really installing malicious code.

Aviv Raff noted that the spoof presents legitimate-looking dialog boxes and windows to convince users that the button comes from a trusted domain. In his example, he showed what appeared to be a button for The New York Times being installed on the toolbar.

In reality, when the user clicks on the Times button on their toolbar, malicious code is then retrieved and installed on their computer without them knowing it. Raff found it affected Google Toolbar 5 beta for Internet Explorer, Google Toolbar 4 for IE and it partially affected Google Toolbar 4 for Firefox.

When contacted by InternetNews.com, a Google spokesperson would only say "Google takes the security of our users very seriously. We have been notified of this issue and are currently working on a fix."

Spotted here