None's perfect, even google isn't ! Thanks to REz (CeSeNA group's guy) I found out this interesting feature (or bug ?).
Let's try it by yourself, this is the vulnerable link:
http://www.google.com/custom?hl=en&cof=L%3Ahttps://lh5.googleusercontent.com/-EvyPBS_l_xs/AAAAAAAAAAI/AAAAAAAAAAA/zPEV7I5plmE/photo.jpg?sz=200&q=http%3A%2F%2Fwww.marcoramilli.com%2F&btnG=Search
The cof variable seems to be not filtered. Even the best web company on the web can fall on common vulnerabilities.
Here TheHackerNews report.
UPDATE-1:
If you think like Anonymous:
"There's nothing weird about the "col" argument. It's there to let users add a logo to the search page, when they embed a site search on their own page. It's restricted to a specific Google domain, and there's no way to break out of the src attribute."
Please try by yourself before writing insulting comments.....
Here the link is:
http://www.google.com/custom?hl=en&cof=L%3Ahttp://profile.ak.fbcdn.net/hprofile-ak-snc4/41644_100001697891319_8196115_n.jpg&q=http%3A%2F%2Fwww.marcoramilli.com%2F&btnG=Search
As you can see: profile.ak.fbcdn.net is outside specific google domain.
Again, I have not changed (or personalized) the Google Logo. It's still there. BTW I am not saying that this is a huge Google Bug and that you can exploit or whatever... I am just saying that you can insert through "cof" and "L" something weird, at least to me... is this a feature ? Well, cool I'm fine. Please stop to be offensive hiding behind Anonymity.
UPDATE-2:
Many emails from forced me to change the title from Google XSS to Google Feature or Bug ?
