Niall Kennedy has a blog post entitled Netvibes module developer collects web credentials, personal content where he writes
A developer created a Netvibes module and submitted it for inclusion in the Netvibes Ecosystem module directory.
A Netvibes employee examined and approved the submitted module for
inclusion in the directory. The remotely-hosted module was then altered
by the developer to retrieve stored preferences from other configured
modules and store information from other modules loaded in the page
such as the contents of a webnote, the user's latest Gmail messages,
upcoming appointments and contacts, etc. The developer stored this data
in a remote database and later examined his collected findings.
Each Netvibes module is rendered inline, meshing the markup
generated by the module with the rest of the page's content. A module
I talked to Niall about this on IM and upon reading the blog post from the Netvibes team as well as Niall's summary of the situations it seems they are doing at least three things wrong from a security perspective.
- 3rd party gadgets hosted inline within the page instead of within iframes which means the gadget can walk the DOM and interact with other gadgets on the page.
- 3rd party gadgets are fetched from 3rd party domains instead of a snapshot of the code being run from their domains which means malicious developers can alter their gadgets after they have been submitted
- 3rd party gadgets not hosted on a separate top level domain which means gadgets may may be able to set and read cookies from the *.netvibes.com domain
All of these are safeguards that we take in Windows Live Gallery, Windows Live Spaces and Live.com to prevent malicious gadgets. I'm stunned that the response of the Netvibes developers is to change the text of their warning message and allow user rating of gadgets. Neither of are significant mitigations to the threats to their service and I'd recommend that they reconsider and actually secure their service instead of pushing this onto their users.