Eric Farraro, a software developer, found an exploit in Google Public Service Search, a little known service for universities or other non-profit organizations to add a ‘Google’ search to their website and allows you to customize the header and footer of the search results page.(Similar to the Search for AdSense, its hosted on Google)

With a little JavaScript, Eric is able to modified the page, into a normal web page(supposed to be a search page), with login forms.

ahhh

This is a proof concept by Eric to show how to use Google to phish, and since he’s a really nice guy, he contacted the Security of Google before he post his discovery in his blog.

JavaScript is a really helpful thing, but it sometimes can be use for malicious purpose, and other relatives, such as this post I wrote couple days ago about reading “masked” passwords in forms.

official explanation | read more | digg it