For over two years Google has had an script insertion flaw, I reported it two years ago, and again a couple of months ago, but still it's not been fixed. Google Desktop has made the situation worse, as now google search results include the content of local files in the search results. With this in mind I produced a couple of simple example exploits.
Credit Card Phishing example
You can replace the content of the Google page with your own content, here I replaced it with a simple credit card submission form suggesting that google will shortly become a subscription service. Screenshot of it in use.
The desktop sniffer example
Visit Google with this link, and the inserted google desktop search for password will be reported to my site.
The exploit might be easier to do with a custom form: