Few month ago i found a vulnerability in Google (Apigee Corp) which is acquired by Google in a deal worth $625 million in 2016. I was able to make open redirect lead to XSS as you know google did not use to accept open redirect.
VULNERABLE DOMAIN :
Not xss 😛 Lead
popup xss :p
All impacts which normal xss can do.
Thanks for reading. Follow us on twitter @spidersec