This year in February a XSS-problem on Googles login page was found by the security expert beNi. See a screendump of how this "secure" SSL-page could be corrupted, before the development team closed it down.
Google did respond to beNi and thanked him for the discovery, but he was a bit disappointed that they did not show more gratitude than what they did. I understand him. A company the size of Google should be able to show grater gratitude towards nice hackers that help them to protect their applications.
Since beNi wasn't so happy he's now saying that in the future he will not warn them before he reveals similar exploits.
So the other day he shows us proof of concept on how a criminal can get access to all contacts in Gmail and also the Google Authentication Token. These can be found on a page that generates a XML-documant. Really scary acctually. If you are online with your Gmail account you can see it for yourself by visiting the following address.
beNi continues to show how this infomation can be used in an attack. For this he needed a XSS-flaw on Google and he found one rather quickly. Read his blog-post for more information and images. I have also saved a screendump of the last step in the exploit which you can see above.
So from now on we know that Gmail-information isn't really safely kept. The only thing a criminal nedd is a XSS-flaw on Google and there seems to be quite a few. I recommend you to be careful when you see links going to Google and if you're a Gmail user. If there are any doubt on the source of the link your shouldn't click it.
Personally I don't use Gmail and only have one contact there. But the fact that the Google Authentication Token can be accessed so easily makes me really nervous. I don't want anybody to take over my Google-login and start playing around with my Adsense-accounts and the other services I use.
Also read hac.kers.org who makes a comment about the disclosure.