XSS vulnerability in iGoogle/Gmodules when calling external widgets
Written by DP and KF
Monday, 20 August 2007
x2Fusion sent to me an interesting e-mail describing how is possible to XSS an iGoogle personalized homepage via the widgets.
iGoogle is using frames to open Gmodules, which calls third party widgets. While this prevents cookie stealing, can still be used to launch phishing attacks against the iGoogle users, or directly via gmodules.com, by calling a malicious widget, which will be executed in the context of the gmodules domain.