A recently found flaw in Web-based Google applications spotlights a growing concern: how to protect IT systems and data as workers access Web-based e-mail and collaborative applications.

Google's problem made it possible, in theory, for an attacker to access the contact information in a user's Gmail account through "cross-site request forgery," overwriting JavaScript used to send information from Google servers to the user's PC. Google fixed the flaw within 24 hours.

It's "a bellwether of things to come as people get more serious about SOA and Web 2.0 capabilities," warns Gary McGraw, CTO of Cigital, a software security and reliability company.

How big a worry are consumer-focused Web apps? "Web mail accounts give you access to everything," contends Jeremiah Grossman, CTO of WhiteHat Security, a maker of Web app security assessment software. Grossman, a former Yahoo security officer, says cross-site request forgeries can let an attacker, in addition to poaching information from Web mail, access any account the user is logged on to.

451 Group senior analyst Nick Selby counters that companies' security measures to protect against malware should defend Web apps, too. The bigger danger is probably employees using them to leak data outside employers' IT environments.