An XSS is a tad different than being owned (IMHO), but certainly isn't an ideal thing to see right away.

The cool part is that things like this will encourage them to put more security-by-default sorts of APIs into GAE.

Most everyone doing lots of web apps gets bitten by XSS at some point. Nothing embarrassing about it IMHO.

But Google has probably hired ten PhDs just to make sure none of their products gets exploited like this.

But the PhDs failed. Thus, it's newsworthy.

Hiring PhDs for this task was their first mistake.

That's a simple XSS example hack. Google should have filtered that out, but it's not that bad either (as long as they react fast).

While THAT may be an example of a SIMPLE attack, probably for the sake of showing off, what if "the goog" had exposed web services retrievable by Ajax for logged in users as part of AppEngine and THAT was exploited via the SIMPLE XSS hack?

It makes no sense. Why do we just brush stuff under the rug when it's Google or some other major player that's generally well liked?

misleading headline. plus why is a valleywag article showing up on HN, I can get that elsewhere.

"misleading headline"

Absolutely. Any fewl know it should be "pwned".