I found this interesting post about a security hole in Google Code. Its quite complex, though the post is written very well, so you’ll be able to get the point easily.
Basic idea is that thanks to some tricks you can get a Java file thats uploaded to Google Code to start from everywhere and have access to the whole google domain. So if you’re a Google user and you are logged in this java applet is logged in as well.
Google was able to disable this unwanted functionality, but I’m pretty sure that if you search for other websites with those problems you’ll find em out there.