I have successfully exploited a Google vulnerability which was ignored by Google itself from last 2 Months.
2.) User will land to the page having URL in address bar as Google.com/______
3.) Using Cross site scripting vulnerability I generate a Pop-Up that will convince a Google user to believe that their cookies expired and they have to Login again to access next pages (Please do not enter your original username / password)
4.) The Phishing login form is designed using Google service itself and Points to my EVIL server.
5.) Once user will try to Login, all credentials will save here and page will show "Done" without any reload.
By definition : Phishing is tricking users to believe that they are on right webpage and the demonstration successfully showed this.
Google also said that hosting such type of content on Google services is violating their services, but please note that we already follow the non-disclosure way two months ago and its enough time to take action for fixing the bug. By disclosing exploitation with demo is now necessary to make them believe that - It WORKS !!
Note for Google : Either Google can call it under "Same origin policy" or "violation of services" , For an Attacker and a victim your policies are nothing. Even the source of POC is not hosted on Google and we are calling it from our server so we are not violating your any policy. We Respect you and trying to help you to understand the RISK and warning or readers to be aware about such phishing attacks.