After announcing a breach of payment information and an audit from a leading security firm, GoGrid's enhanced login page contained a cross-site scritping vulnerability that could be exploited using cross-site request forgery, which the video demonstrates.
One XSS can sure cause a lot of havoc, such as stealing API keys and adding users to somebody's account. The victim user does have to be logged into the management portal for this vulnerability to be exploited.
Some things that GoGrid could do to improve security would be to validate all user input, encode output properly, implement csrf tokens, click jacking protections, and something like content security policy.
GoGrid was notified and responded about these security issues on 3/31/2011
Site by &yet Web Design