For those brave of heart, you can test and execute it directly by putting it in your URL location bar preceded by
The full details of this attack are on github: Hello, want to kill some time? including a bookmarklet that can run on any website. The attack can also be easily modified to demonstrate XSS vulnerabilities so you will never have to see another boring
alert(document.cookie) popup box again.