When I was testing Google Groups Beta (http://groups-beta.google.com/group/n3td3v) I found the script tags executed on the Google Groups site. This only seems to work while clicking on a reply thread, using the reply menu, featured on a given groups homepage, when an older thread gets a reply.
If the thread reply you try to open has a script in it, then the script executes, instead of taking you to the reply to the thread you were attempting to view. An attacker can send a reply to a thread on Google Groups Beta with a carefully crafted script in it, to exploit Google Group Beta users! This is probably just the tip of the ice berg of something bigger, but I thought I better mention it before malicious users started exploiting people. Discovered today by n3td3v. Thanks, n3td3v. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
