To exploit the flaw, the hacker adds a piece of code to their website server, which in turn gives them access to the Gmail contacts of passing browsers, if users are signed in to their Gmail account.
There is some speculation about how serious a flaw this is, and whether there has been a complete fix. According to ZDNet blogger Garrett Rogers Google has partially sorted out the problem.
"The problem is only partially fixed. The vulnerability exposed through video.google.com has been patched up, but there are other subdomains where the problem still exists," said Rogers in his blog.
Google was unavailable for comment at the time of writing.