Google rewarded a security researcher with 5.000 dollar for discovering and submitting a cross-site scripting vulnerability to the management console Google Apps which could give an attacker full control over a Google account.
Many businesses associate their domains with Google services, allowing them access to Gmail, and working with Google Apps.
Blizzard Entertainment's security technician, Brett Buerhaus, discovered an XSS format that could be used when connecting to the management console.
Exploiting this vulnerability could give the attacker the ability to create new users at any level of privileges, including the super administrator, change security settings for users or domains, change domain settings to promote incoming emails to a different domain.
Additionally, the attacker could take control of different e-mail accounts with the password reset method. It could disable the two-factor authentication feature, completely weakening security in the targeted account.
The researcher published a PoC to prove what he claims. Google has already corrected the vulnerability.