After posting my last article about the contacts "JSON API", Haochi Chen discovered that by simply appending a "callback" variable in the URL, the creators of a malicious site could gain access to a visitors entire Gmail contact list without warning.
var output = "";
output += response.Body.Contacts[x].Name + " <" + response.Body.Contacts[x].Email + "> ";
This sample script once proudly displayed the visitors contact list if they were logged into their Google account. Only hours after it was reported to the Google security team, the vulnerability was fixed.
"Thanks for reporting this to us. We have identified and fixed the problem" -- Google Security
It's a little concerning that this problem even existed, but knowing the fix was made only hours after it was reported does warrant some level of reassurance.
The problem is only partially fixed. The vulnerability exposed through video.google.com has been patched up, but there are other subdomains where the problem still exists.