A Security Researcher named as TiPi discovered 8 XSS vulnerabilities in Google and he earned $1200 for google security vulnerability findings. He list out the vulnerabilities in his own blog.
He managed to find XSS vulnerabilities in Google Map,Google Map Maker, Google Map Maker Profile,Google Orkut, Google Science Fair, Google Caption Contest. All of them are Persistent vulnerabilities.
He published a proof of concept:
1. Persistent Google Maps XSS
Description: XSS injection in the nickname display of the Google Maps profile.
Type: Persistent XSS
URL: http://maps.google.com/maps/user?uid=[CENSORED]
Payload: <img src="<img src=search"/onerror=alert("TiPiXSS")//">
State: Fixed
Reward: None, found by someone else in the same period
Screenshot:
2. Persistent Google Map Maker XSS
Description: XSS injection in the nickname display of a Google Map Maker profile, in the appelication itself.
Type: Persistent XSS
URL: http://www.google.com/mapmaker?gw=55&editids=a1hYkdXPQxZ36B7xzV&iwloc=0_0
Payload: <img src="<img src=search"/onerror=alert("TiPiXSS")//">
State: Fixed
Reward: None, found by someone else in the same period
Screenshot:
3. Persistent Google Map Maker Profile XSS
Description: XSS injection in the title of a Google Map Maker profile. The display of the nickname itself on the profile was filtered.
Type: Persistent XSS
URL: http://www.google.com/mapmaker?gw=66&uid=[CENSORED]
Payload: </title><img src="<img src=search"/onerror=alert("TiPiXSS")//">
State: Fixed
Reward: None, found by someone else in the same period
Screenshot:
4. Google Orkut XSS
Description: XSS in community description. You don't have to click the HTML button. The XSS triggered every time you tried to edit the community description or tried to view the communication settings. Not a self XSS, as communities can have several administrators.
Type: Persistent XSS
URL: http://www.orkut.com/Main#Community?cmm=[CENSORED]
Payload: <img src="<img src=search"/onerror=alert("TiPiXSS")//">
State: Fixed
Reward: $500
5. Google Science Fair XSS
Description: funny self XSS in a new Google project, "Google Science Fair" (isolated domain). You could enter any HTML code and javascript in the form where you could provide additional team members. The XSS would trigger when you click "register", and hover with your mouse over that field.
Type: SELF-XSS
URL: https://www.googlesciencefair.com
Payload: <script>alert('TiPïXSS!');</script>
State: Fixed
Reward: None
Screenshot:
6. Google Caption Contest XSS
Description: users could add comments (and malicious HTML code) on the submitted captions forThe Google Caption Contest.
Type: Persistent-XSS
URL: http://www.googleinsidesearch.com/captions.html
Payload: <img src="<img src=search"/onerror=alert("TiPiXSS")//">
State: Fixed
Reward: $100
He also discovered two more vulnerabilities and earned around $500 but google didn't fix the yet. so he just provide a screenshot