Google starts into 2007 with a feature that allows bad guys to steal your GMail contacts list. http://blogs.zdnet.com/Google/ has more. But before you follow any links today, you should maybe make sure that you are not logged in on GMail...
This is actually a "Cross Site Request Forgery" (CSRF), not a "Cross Site Scripting" attack. Google had the bug fixed by the time the issue was made public.
Jan 2nd 2007
1 decade ago