XSS vulnerability in iGoogle/Gmodules when calling external widgets
Aug 1, 2007 | Category: Google Vulns
x2Fusion sent to me an interesting e-mail describing how is possible to XSS an iGoogle personalized homepage via the widgets.\r\n\r\niGoogle is using frames to open Gmodules, which calls third party widgets. While this prevents cookie stealing, can still be used to launch phishing attacks against the iGoogle users, or directly via gmodules.com, by calling a malicious widget, which will be executed in the context of the gmodules domain.Example (click ”Add to Google” button for the script to be executed)
\r\n\r\n
Furthermore, iGoogle is vulnerable to a permanent script insertion. A malicious user can obfuscate the XSS vector and send to the victim user the URL to add a widget. There are numerous ways to exploit the people”s tendency to trust you. One way is phishing. For this XSS vulnerability to work, no Google account is necessarily needed. It involves user interaction because the target user is asked to validate the addition of a new widget (if used via iGoogle).
\r\nIf the victim user is not signed in, then deleting the cookies will obviously remove any “malicious” widget that was added.
\r\nIf the victim user is signed in, then the XSS will be permanent until the removal of the “malicious” widget.
\r\n\r\n
\r\nIf the victim user is not signed in, then deleting the cookies will obviously remove any “malicious” widget that was added.
\r\nIf the victim user is signed in, then the XSS will be permanent until the removal of the “malicious” widget.
\r\n\r\n
\r\n
\r\nThis XSS could be used to redirect unsuspected users to a fake Google login page.
\r\n
\r\nThank you x2Fusion for bringing up the issue.
\r\n\r\nFrom: Xssed.com\r\n\r\n
