I’ve mentioned the google script insertion flaw before, Google don’t seem to want to do anything about it, I’ve emailed firstname.lastname@example.org, but have had no response from them, well I got automated responses (that latest had number #15585565 in the subject no idea what that means).
Google Desktop has made the exploit even more dangerous - because it places the results of a desktop search into the output of a regular google search, the exploit now allows the capturing of information from the local computer - okay it’s not much information, but how long is a password or a credit card number? It’s also able to capture all the searches you make, and the ads/links you click and report them to a 3rd party site.
The exploit is trivial, and to get a user to use it, any of the popular “search my site” google forms can do it, or after a link to google . My sample google exploit is pretty poor, it tends to error with some strange timing issues occasionally (the data is still sent though), it only works in IE (the google desktop results are only inserted in IE, but the general security flaw is common to many browsers, it’s not an IE security flaw) but it shows how easily it can be done - it took me half an hour, more malicious users could make it neater easily.