Aug 1, 2007 | Category: Google Vulns
x2Fusion sent to me an interesting e-mail describing how is possible to XSS an iGoogle personalized homepage via the widgets.\r\n\r\niGoogle is using frames to open Gmodules, which calls third party widgets. While this prevents cookie stealing, can still be used to launch phishing attacks against the iGoogle users, or directly via gmodules.com, by calling a malicious widget, which will be executed in the context of the gmodules domain.Example (click ”Add to Google” button for the script to be executed)
\r\nIf the victim user is not signed in, then deleting the cookies will obviously remove any “malicious” widget that was added.
\r\nIf the victim user is signed in, then the XSS will be permanent until the removal of the “malicious” widget.
\r\nThis XSS could be used to redirect unsuspected users to a fake Google login page.
\r\nThank you x2Fusion for bringing up the issue.