This will seem like an odd post at first. Netvibes is vulnerable to XSS. “Wow” you’re saying, “Who cares? Practically every website is.” This one was a little different than most. What I noticed on a random blog site was the initial URL. What happened was that the URL itself was pretty tame. Just a redirection back to the homepage. In that redirection a cookie was set. Can you see where I’m going with this?
So upon redirection to the site there was no XSS in the URL string, it was, in fact Netvibes’ homepage. The problem is that Netvibe’s homepage is dynamically constructed and looks at those cookies. Those cookies contain our XSS script. They even try to take account XSS by escaping quotes. Alas, that’s pretty trivial to get out of.
Netvibes is only interesting because of the sheer volume of users who could be phished and because it affects their homepage. It’s also interesting because I’ve heard of a few tools that might try to take into account the URL of the page you are on, and in this case unless it also counted redirections that protection would fail. I know I have a few Netvibes users, so unless you typed in the URL by hand, be careful!