Googleサービスに共有のクロスサイトスクリプティングな脆弱性が存在していたとの事。

I recently reported a cross-scripting flaw to Google, which is now fixed. The vulnerability existed in Google?s Support Python Script where a malicious url is not sanitized for XSS character ? (single quote) before putting inside javascript variable logURL. As a result, it was possible to break the encapsulation of the var declaration and execute arbitary javascript commands on the main Google.com domain.

The only limitation was the following characters were either filtered out or url encoded - ? (double quote) < > (space) { }. However, this protection could be easily circumvented. I was able to write javascript statements to steal the session cookies [since characters such as ' ; . ( ) / = + were still available] and send it to my evil website. See the example given below.

http://www.securityfocus.com/archive/1/503389