Google has crossed swords with an independent security researcher who claims that the domain used by Google module applications provides a potential "safe haven" for phishing fraudsters.

Google modules are small web apps (widgets) designed for functions such as displaying weather forecasts or sports scores on a third-party website.

Security researcher Robert Hansen warned Google that fraudsters might be able to create a phishing site on the gmodules domain because a cross site scripting flaw allows the injection of JavaScript.

Because the gmodules domain (gmodules.com) is trusted by phishing filters the flaw poses a greater risk than it might on other domains.

In its response, Google said JavaScript is a supported part of Google modules. Cross-domain protection stops sites on gmodules from been used to steal Google-specific cookies, it adds. "On further review, it turns out that this is not a bug, but instead the expected behavior of this domain," Google's security staffers told Hansen.

Hansen, a critic of Google's security response in general, argues that the search engine giant has missed the point. He posted a demo (http://gmodules.com/ig/creator?synd=open&url=http%3A//ha.ckers.org/asdf2.xml&pt=&context=b&synd=open&lang=en&.lang=en&country=us&.country=us&cat=all&num=24&start=0&cols=4&objs=w,mO,jyq,gQq,jhP,NL,Hg,pV,RB,p,33G,EKT,6aZ,7Wu,aag,2C,vB,sMg,j0,xQO,5WIK,Rm,gP1,acyU&sn=2C&lang=en) of cross-site scripting of the gmodules domain to illustrate his concern that Google ought to be worried about risks beyond simple credential (cookie) theft.

The exchange (http://ha.ckers.org/blog/20070817/xss-hole-in-google-apps-is-expected-behavior) between Hansen and Google has sparked a lively debate on the ha.ckers.otg forum with participants weighing in on both sides of the debate. Some point out that Google has at least mitigated the risk by running modules from the gmodules domain, while others argue that the security policies at the ad brokering giant leave a lot to be desired. ®

Related stories

Surfing Google may be harmful to your security (9 August 2008)
http://www.theregister.co.uk/2008/08/09/google_gadget_threats/
Google's cookie crumbles under scripting attack (15 April 2008)
http://www.theregister.co.uk/2008/04/15/google_spreadsheet_bug/
Stay ahead of Web 2.0 worms (7 January 2008)
http://www.theregister.co.uk/2008/01/07/xss_tactics_strategy/
Adobe gifts internal file permissions to unwashed masses (27 September 2007)
http://www.theregister.co.uk/2007/09/27/adobe_website_leak/
Unholy trinity of flaws put Google users at risk (24 September 2007)
http://www.theregister.co.uk/2007/09/24/google_vulns_put_users_at_risk/
Cap Gemini twins with Google to punt online apps (10 September 2007)
http://www.theregister.co.uk/2007/09/10/google_apps_cap_gemini/
Thinking outside the Opera box (18 August 2007)
http://www.theregister.co.uk/2007/08/18/opera_ceo_interview/
Webmail-creating Trojan targets Gmail (15 August 2007)
http://www.theregister.co.uk/2007/08/15/webmail_trojan_update/
Google's Lemon squeezes out web app bugs (18 July 2007)
http://www.theregister.co.uk/2007/07/18/google_lemon/
Google in cookie concession to dead people (17 July 2007)
http://www.theregister.co.uk/2007/07/17/google_changes_cookie_policy/
One in 10 web pages laced with malware - Google (11 May 2007)
http://www.theregister.co.uk/2007/05/11/google_malware_map/
Blogger.com 'riddled' with malware (15 March 2007)
http://www.theregister.co.uk/2007/03/15/blogger_malware/
Mail widget bug stumps MS (15 March 2007)
http://www.theregister.co.uk/2007/03/15/ms_mail_gadget_outage/
Google patches critical desktop flaw (21 February 2007)
http://www.theregister.co.uk/2007/02/21/google_desktop_search_bug/
Cookie monster menaces Google (18 January 2007)
http://www.theregister.co.uk/2007/01/18/google_patches_cookie_bugs/
Google blacklist sheds light on phishing tactics (5 January 2007)
http://www.theregister.co.uk/2007/01/05/google_phishing_blacklist/
Google plugs GMail exploit (2 January 2007)
http://www.theregister.co.uk/2007/01/02/gmail_exploit/
Worm automates Google AdSense fraud (6 October 2006)
http://www.theregister.co.uk/2006/10/06/google_adsense_worm/