Well it seems that everyones friend Google has teething issues with its Beta Groups. Simply having a user click a "groups-beta" link, any script ( If a user views a thread carefully crafted by a malicious user, then the script executes, instead of the thread. ) can be injected to the users browser ( confirmed by the author in Internet Explorer ). This appears to manifest itself if the malicious script is embeded in the content of the message body itself. Simply reading a group posting has the same effect.