I recently completed "How to Break Web Software - Functional and Security Testing of Web Applications and Web Services" by Mike Andrews & James Whittaker.
One of the ironies in my timing finally completing this book and the current news in tech is that there is a quote from Harry Robinson, Google, on the front cover of this book. The quote on the cover read, "The techniques in this book are not an option for testers–they are mandatory and these are the guys to tell you how to apply them". And as you may already know, Google has been in the news lately for several security vulnerabilities in its services. One of the vulnerabilities was the gmail cross-site scripting hole. And just yesterday, another one was discovered which came after the one on the weekend.
The book goes over cross-site scripting attacks in Chapter 5 and breaks it down into two categories, Stored XSS and Reflected XSS. (NOTE: Reflected XSS is different from phishing in that you are provided with a real/trusted URL; however, it was tampered with as script could have been embedded in the URL.) The Google XSS study from the book (http://jibbering.com/2004/10/google.html) is quite a bit older than this latest gmail cross-site scripting issue.
It is interesting to study the latest cases of XSS attacks. However, to its advantage, the culture around Google is still somewhat different. Rather than pouncing and exploiting these vulnerabilities, Google is given advance notice and time to fix their bugs. And as a "software as a service" provider, they are in full control of their services (self-contained in their datacenters). What would be more of an enticing goldmine for hackers would be Google Checkout. And if vulnerabilities are discovered, it would remain to be seen how the exploitation would unfold.
The good news is that all major security issues identified were fixed in timely fashion by Google. The quick turnaround capabilities: that is the beauty of service providers or application service providers (ASP). Unfortunately, people who store sensitive information in different Google services (i.e. bookkeeping in Google Spreadsheets, sensitive docs in Google Docs, sensitive email or worse yet emails directly forwarded from work emails) may begin to feel some anxiety.
Software as a service has its tradeoff; for the enterprise, they would lose that level of control by relying solely on a provider (i.e. CRM through Salesforce). While vulnerabilities can be discovered in shipped software, identical attacks may not work on all enterprises, as some may have already applied a patch or have a tweaked infrastructure. On the other hand, depending on the implementation, the ability to find a hole in one web service may result in having a consistent manner in obtaining information from its different customers.
So while you enjoy the convenience of an almost "web os" feel, unlike an actual operating system, there is no way to disconnect the network cable from your computer. Unfortunately, you cannot take the data offline quickly. (Note: you have options to save spreadsheets or store gmail messages offline, but not in a centralized one-click fashion)