Gmail/Google XSS can be used to steal contacts (and the authentication token)
A combination of an XSS in Google Group web site, with a “feature” of Google Gmail integration with Google Groups allows an attacker that can trick you into click on a specially crafted URL to steal:
- All Contacts you’ve ever mailed (Name and Email address)
- Your Gmail authentication token
For more details go to this page.
(NOTE The vulnerability still works as of 2007-03-15 16:12 GMT+0)