Better think twice before using those nice Ajax desktops to lighten your daily burden of password submissions.

These “startpages” are very commonly used to quickly access a growing collection of online services: webmails, to do lists, calendars, blogging tools, photo and video sharing, instant messaging, bookmarking, …

Just one login to display your whole online ecosystem in one neat page. How convenient! But what about security?

After all, you could think that it’s safer to provide all your credentials to Netvibes, Pageflakes, Protopage or Google than storing them in plain text file on your machine, or using always the same weak password.

This could be certainly true, if the people running these services would put security as their top priority …

Unfortunately this is not the case and the recent Netvibes hack is a sad proof of how little attention is paid to protect users data from malicious attackers.

Few days ago a French security blogger created a new module. The code was quickly validated and approved for inclusion in the Netvibes module library. Then he was allowed to modify the module without incurring in any additional verification step by Netvibes. (!)

The modified module was installed by thousands of users and it was able to retrieve stored preferences such as usernames and passwords from other modules loaded in the same page.

How is it possible?! Niall Kennedy explains:

A module developer is encouraged to access only their own module’s content using a special Netvibes variable, but any developer can request other content on the page through standard JavaScript or the Prototype JavaScript framework.

For further details, this blog has a copy of the now removed original post with step-by-step instructions for hacking Netvibes (in French).