XSS vulnerability in iGoogle/Gmodules when calling external widgets

Written by DP and KF

Monday, 20 August 2007

x2Fusion sent to me an interesting e-mail describing how is possible to XSS an iGoogle personalized homepage via the widgets.

iGoogle is using frames to open Gmodules, which calls third party widgets. While this prevents cookie stealing, can still be used to launch phishing attacks against the iGoogle users, or directly via, by calling a malicious widget, which will be executed in the context of the gmodules domain.

Example (click "Add to Google" button for the script to be executed)
Another example when calling the widget directly from gmodules (got it from

Furthermore, iGoogle is vulnerable to a permanent script insertion. A malicious user can obfuscate the XSS vector and send to the victim user the URL to add a widget. There are numerous ways to exploit the people's tendency to trust you. One way is phishing. For this XSS vulnerability to work, no Google account is necessarily needed. It involves user interaction because the target user is asked to validate the addition of a new widget (if used via iGoogle).
If the victim user is not signed in, then deleting the cookies will obviously remove any "malicious" widget that was added.
If the victim user is signed in, then the XSS will be permanent until the removal of the "malicious" widget.

This XSS could be used to redirect unsuspected users to a fake Google login page.

Thank you x2Fusion for bringing up the issue.

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.