There is a recent discussion on ha.ckers.org regarding a possible CSRF that could allow an attacker to inject an evil gadget on someobdy else's iGoogle page. After checking the format of the xml file used to define the gadgets properties, I noticed a couple of attributes that could be used as point of injections to active content, the thumbnail and screenshot attribute. Only one of them is vulnerable, the screenshot attribute, by using a javascript URI as value you can execute active content on certain browsers such as IE6. This is a poc that shows an alert with the current document.domain value:
www.google.com/ig/adde?moduleurl=http://beford.org/stuff/ig.xml
I've just notified Google about this, to avoid been a target of this flaw you can switch to Mozilla Firefox (+Noscript), or upgrade to IE7, which is not an option for Windows 2000 users.
Update: According to a friend, Rafael, Opera users are vulnerable aswell, he sent me an screenshot which you can see here: Opera Google XSS.
Update 2: Google fixed this on 27 November.
Fixed?
Comment by Vinicius K-Max — November 28, 2007 @ 6:54 am
Vinicius K-Max: Yes, I reported it to them after publishing it here.
Comment by beford — November 28, 2007 @ 8:38 am