Today RSnake revealed a cross site scripting vulnerability affecting Google Gadgets in the gmodules.com domain.

This XSS hole allows anybody to store his/her own web content, including JavaScript code, anywhere and to have it rendered and executed in the context of the gmodules.com domain, with no further validation of sort.

RSnake responsibly reported his finding to Google before resorting to public disclosure, but the G guys answered that this behavior is "by design" and won't be fixed.

What does it mean?



For the average user, such a vulnerability means that phishers can effectively exploit a site owned by Google as a free hosting facility, making quite impractical blacklisting and/or shutting down the scam: don't forget Firefox's built-in anti-phishing blacklist is provided by Google itself.

For NoScript users, it means that if you allow gmodules.com to execute scripts, you're trusting not just Google, as you may misled to believe, but everyone in the cyberworld -- even the most evil hackers like my RSnake friend ;) -- to run his/her code inside your browser.

The bottom line is: until Google security crew changes its mind and decides to rethink or remove this "feature", do not whitelist gmodules.com -- even better, mark gmodules.com as untrusted.

If you absolutely need scripts from the gmodules.com domain, e.g. to use those so called mapplets (another nifty Web 2.0 marvel), just "Temporarily allow" it and cross your fingers.

On a side note, U.N. site is still vulnerable to defacement...