The last thing I want to do right now is post on another problem over at Google, but this was a big one. Basically, a website could download your entire Gmail contact list by adding a bit of code to their server and exploiting Google’s JSON API. The problem has apparently been fixed, very soon after the vulnerability was found.
I’m not going to go on and on (again) about how much trouble Google is getting into with these problems. In this case, days did not go by before Google responded to the problem. They addressed it immediately.
This is good fodder for the ongoing JSON debate, though.