When I was testing Google Groups Beta
(http://groups-beta.google.com/group/n3td3v) I found the script tags
executed on the Google Groups site. This only seems to work while
clicking on a reply thread, using the reply menu, featured on a given
groups homepage, when an older thread gets a reply.
If
Script injection in Google Groups Beta. If a user views a thread
carefully crafted by a malicious user, then the script executes,
instead of the thread.
Concept:
http://groups-beta.google.com/group/n3td3v/browse_thread/thread/2379f18f5986c985
All users are vulnerable.