Google Account XSS (Fixed)

Publicated on : 1178119072
Though it is already fixed, I still like to show it to you because it is an interesting one. Finding a XSS hole in Google is tough, and usually requires some luck. This one is obviously a mistake by connecting different account together and thereby invoking a new XSS hole. this one is reported by Rodrigo Lacerda aka RodLac.

https://www.google.com/accounts/ServiceLoginBoxAuth?Email=%3Cscript%3Ealert('XSS')%3C/script%3E&Pass

So the reason I showed it to you and the quickness of Google fixing it, is very interesting for different points. If Rodrigo Lacerda did not reported it, it could have been a hole for a very long time and given blackhats more room to exploit. So, if it implies something it must imply Google has unfixed holes at anytime. Waiting to be found, and thereby we can fairly say that even they still make big mistakes. I mean come on... a XSS hole on a login form!

Google boasted many times that they hire the smartest people. I really begin to doubt that.