So I had a quick look at Google Checkout, expecting to see no background colour, and probably some trivial XSS exploits. I didn't see an immediately obvious XSS exploit, but they don't bother to sanitise the continue url or have a charset defined, so there's probably something you can do there. More interesting were the attempts to actually buy anything. Trying on the google store failed with an
Oops! An error occurred while processing your request.There was no way to try again, no way to get back to me order - the first site I tried, a good example of the sort of sites you can use google checkout on, is probably the leading snorkel provision site with Bob in the url Snorkelbob.com didn't let me use google to pay at all, so I tried Dick's sporting goods, again, it failed, it just took me to the same oops page, with no way to return. So whilat I didn't immediately find the XSS flaws I expected, I definately found a service that doesn't even begin to work, I don't think paypal need be worried. I think stores would be rather foolish to sign up with google checkout given the failures I've experienced - at the very least you expect error pages to get you back to the store in question, how many lost sales will sites put up with?