Had Google left the the cross-site scripting (XSS) vulnerability unpatched, hackers could have modified third-party Google documents and spreadsheets as well as had access to e-mail subjects and search history.
According to Philipp Lenssen, the author of Google Blogoscoped, the first Google Custom Domains vulnerability allowed Tony Ruscoe (another Google expert) to create a page that was hosted on a Google.com domain. Ruscoe proved that he could have used code to steal a user"s Google cookie and access their Google services. The second vulnerability, reported by Lenssen, would also have enabled a hacker to use JavaScript code to pass cookie data to an external source.
Google hit two birds with one stone according to a representative: "Google was alerted to these issues, and we worked quickly to fix the problems, which have been resolved. We have not received any reports of user data being compromised."