Following the Proof of Concept by Adrian Pastor and no further response from the Google security team, the decision was made to publish the findings.
"You all learned about the value of sharing. When I was a kid my mother taught me that I should share my stuff with my friends. Unfortunately, sharing is not always a good thing. Especially, when talking about sharing web-applications across domains.
Over six months ago I've discovered an interesting, yet troubling, issue - Google.com suffers from a cross-domain web-application sharing security design flaw. There are several Google web applications which are accessible over multiple google.com subdomains. The following are some of those web-applications and subdomains:
- Google Maps (maps.google.com)
- Google Mail (mail.google.com)
- Google Images (images.google.com)
- Google News (news.google.com)
- Google.com (Google Search, Google Accounts, Google Apps, Google History, etc.)"
Frame Injection Fun
Frame Injection Vulnerabilities
Google Open to Frame Injection Attack
Sharing is not always a good thing