To me this XSS on LivingSocial was kind of fun. First of all the injection point was the first name of the user, which can't be changed after signup it appears.
The password reset page outputs the first name when a user when a reset is requested, but why would a user type in my email address to XSS themselves? They wouldn't. Instead we use Cross-Site Request Forgery to auto submit the password form. This also shows a quick peak into a really alpha version of the xss.io CSRF tool.
LivingSocial did respond fairly quickly to address the issue.
Site by &yet Web Design