I don't really see how hosting the attack at Google is impressive — gmodules.com is no more believable as a proper login page than login.google.com.2de4dasdz.cx, or any of the usual phishing URL schemes.
Maybe there's some merit to not loading external, untrusted gadgets into waves without user approval, but where there's user-supplied data, there'll always be phishing.
Well, it is not believable. The point here is that many people dont really notice the URL, specially when they are redirected to that page from inside Wave.
Maybe there's some merit to not loading external, untrusted gadgets into waves without user approval, but where there's user-supplied data, there'll always be phishing.