Google Auctions XSS Proof of Concept

Note: Google has now fixed the vulnerability. After a recent article by the folks at NeoSmart.net http://neosmart.net/blog/archives/194 which seemingly downplayed the severity and danger posed by XSS (cross site scripting), I thought it pertinent to help elucidate just how powerful XSS can be. The vast majority of XSS proof-of-concepts are limited to simple javascript alerts. When visiting an XSS injected url, you see some pop up that warns you of the vulnerability. This is substantial enough for professionals to understand the severity of the injection, but to the average web user it seems no more dangerous than any other pop up they encounter. The truth is, however, that XSS is an extremely powerful method through which a criminal can rely on the trust a user...