In what seems to be an exploit searching frenzy, Haochi uncovered another XSS vulnerability that easily and without the victims consent can steal cookies and hijack your Google account. Like the last two found (within in the last 16 days), the bad guy only has to host a website and get someone to visit.
I will not give you details as to how the exploit works until it has been fixed -- but I can tell you that it is extremely easy for anyone who knows HTML to exploit.
I highly recommend making sure you are completely logged out of your Google account while browsing the internet until we have an official statement from Google stating their security team has thoroughly reviewed every Google property for these types of vulnerabilities. If Google needs help, I'm sure Haochi and Tony would be up for the challenge!