If you use Google to send email, organize photos or help administer your website, doomwatchers have cataloged three new ways to steal your data and compromise the security of your users. All three of the techniques rely on cross site scripting, or XSS, in which hackers inject unauthorized code by making it appear as if it's hosted by a trusted website.
The most serious vulnerability resided in the so-called polls application, a part of Google Groups. It made it possible to steal contacts and messages from Gmail accounts. A Google spokesman on Monday afternoon said the flaw had been fixed.
Multiple pieces of proof-of-concept code posted online graphically demonstrated the potential for attacks that target the weakness. One stole all contacts listed in a Gmail account, while a second sent all incoming Gmail messages to an email account of the researcher's choosing.