Google Toolbar versions 4 & 5 allows spoofing the information presented in the dialog which is being displayed when adding a new Google Toolbar button. This can allow an attacker to convince the users that his button comes from a trusted domain. This button can then be used to download malicious files or conduct phishing attacks (e.g. show a login form of a bank).
Google Toolbar provides a nice API for creating toolbar buttons. Basically, the button information is stored in an XML file.
In order to add a button, the toolbar user must click on a specially crafted link which refers to the button's XML file. When the user click on the link, a dialog appears with all the following details: The domain where the button is being downloaded from, the name, description and icon of the button and some "privacy considerations", which basically shows the domains which the button interacts with (sends/receive information).