Vahe G. created a site called http://guntada.blogspot.com displaying the vulnerability in the Google Apps scritpt, the site when visited — if you’re already logged into a Google account, would harvest your Google email. And proves it by emailing you immediately.
And it even works in “incognito” mode (aka porn mode).
This isn’t a particularly dangerous exploit, but it sure is something a lot of people would love to have on their own sites. The ability to harvest emails from anyone already signed into Google, not to mention just see exactly who’s visiting the site, is extremely valuable. A comment thread (see pic) also mentioned a related issue with App Engine a month ago.
The site is down now, here’s what it looked:
“We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to [email protected]”