Rosario Valotta sent me an email today describing a webmail XSS worm he has written - the first I am aware of that is cross domain. There has been a few webmail worms, like Yamanner but nothing quite like this. Rosario picked four Italian webmail services, Libero.it, Tiscali.it, Lycos.it, and Excite.com and built a worm that works across all four domains.
His writeup discusses how he did it. He also included a video as a demonstration of the worm. It walks through how the worm works using a lot of popups showing each step. Of course, a really virulent worm wouldn’t have as many visual queues, but this is a really great visual demonstration. It’s also timely given Billy Hoffman’s talk on web worms next month.