x2Fusion sent to me an interesting e-mail describing how is possible to XSS an
iGoogle personalized homepage via the widgets.
iGoogle is using frames to open Gmodules, which calls third party widgets. While this prevents cookie stealing, can still be used to launch phishing attacks against the iGoogle users, or directly via gmodules.com, by calling a malicious widget, which will be executed in the context of the gmodules domain.