Are Google.com domain’s links always safe to click on?
During Nov 1, 2012 I noticed something strange in Google’s
producer behavior. In the beginning it was only an html injection. Then, I succeed
to exploit it. However, the XSS was in a sandbox’s domain: producer.googleusercontent.com.
A few days later, I noticed that the simulations of Tables (Iphone, Ipad,
Android, etc.) are connected to the sandbox domain through google.com/producer. Using the Grand
Access the attacker could send a malicious link that seems to be hosted in Google.com. Furthermore, the attacker could inject any DOM script he wanted.