After posting my last article about the contacts "JSON API", Haochi Chen discovered that by simply appending a "callback" variable in the URL, the creators of a malicious site could gain access to a visitors entire Gmail contact list without warning.
This sample script once proudly displayed the visitors contact list if they were logged into their Google account. Only hours after it was reported to the Google security team, the vulnerability was fixed.
Serious Gmail vulnerability fixed - ZDNet

Googleだって完璧ではない。だが対応は早かったそうな。

[ 追記 ]

まだ完全には直っていないんだそうだ。

The problem is only partially fixed. The vulnerability exposed through video.google.com has been patched up, but there are other subdomains where the problem still exists.
Serious Gmail vulnerability fixed - ZDNet

t seems the bug I referred to in my last post is only partially fixed ― but I am confident it will be closed up soon. In the mean time, I recommend you log out of Gmail when you are not using it until the problems are solved.
Rough times for Gmail in the new year - ZDNet