In Friday’s InformationWeek there is an article detailing “bug that could let hackers use Google Maps to infiltrate Google, Google Mail, or Google Apps accounts“.
According to the article, a frame injection attack could be used to phish login credentials from Google users via Maps:
Google Maps and other Google Apps vulnerable to attack by Mike Blumenthal
The Butler Group Adrian ‘pagvac’ Pastor, a security researcher with GNUCitizen.org, on Friday posted proof-of-concept code that can inject a third-party page — a fake login page in Pastor’s example — while the user’s browser address bar still displays the Google domain. This could dupe the user into entering login details.
“The beauty of frame injection attacks is that the attacker is able to impersonate a trusted entity without needing to bypass XSS/HTML filters or even break into the target server,” Pastor explained on the GNUCitizen site.