Ryan Naraine of the ZDNet Zero Day Security Blog reported on several security holes that plague Google’s services and products. Read the entire post at http://blogs.zdnet.com/security/?p=539

Among the holes is one that affects Gmail in which hackers are able to plant a script that will forward email from a users Gmail account to an Email account setup by a hacker. This can cause serious privacy issues for companies, especially public companies, which may be using Gmail as forwarding accounts for corporate email, or may be using the “Google Applications for the Enterprise” service which is built in part on top of Gmail.

The Google search appliances that are marketed and sold to businesses and government agencies to index and provide search results for internal documents is also at risk because of a cross-site scripting bug.Another bug in Google’s Blog Hosting service, BlogSpot, also exists that can cause sensitive information to get into the wrong hands. A cross-site scripting bug in the BlogSpot Polls is susceptible to hijacking. See Beford.org 

The Picasa photo-sharing desktop application and web service contains a vulnerability which is subject to an exploit scenario that uses cross-site scripting, cross-application request forgery and URI handler weakness. This results in the ability of an attacker to steal photographs from the user’s hard drive, not just from the Google Photo Sharing Web Site.

Another cross-site scripting bug in the Urchin Analytics service can be used to steal user credentials.