Philipp Lenssen writes about a new vulnerability that gives a malicious attacker the ability to basically hijack a users Google account by stealing cookies. That means any "bad guy" who knows how this works could theoretically do all of the following by impersonating you:
- Read and modify any document in your Google Docs & Spreadsheets account
- Read the subjects and a small snippet of your emails through the Gmail gadget for Google Personalized Homepage
- View your Google Accounts page
- Read your subscriptions in Google Reader
- Log into your Google Notebook
- View your search history in Google
Tony Ruscoe found the problem and immediately reported it to Google's security team. It's frightening to think what would happen if there are any "bad guys" as smart as Tony. Philipp refuses to disclose the details of the exploit until it has been fixed by Google -- but if the speed at which Google fixed their last major security hole is any indication, I would suspect this one to be patched up rather quickly.