The latest unpublished XSS for which I got in the Hall of Fame is still unpatched.

Here is the PoC I sent Google:

http://maps.google.com/?z=4&pw=2

And insert this inside the notes:

[cc lang=”html”][/cc]

The PoC we sent to Google is located here.

It will give us your cookie with which we can take over your Google account including things like gmail and youtube so beware!

For a simple PoC you probably just want to go to:

http://maps.google.com/?z=4&pw=2

And insert this in the notes:

[cc lang=”html”][/cc]

Source here: http://h.ackack.net/unfixed-google-hack.html