Spam hole in Google Mail
Until recently, a security hole in a Google API allowed emails to be sent to GMail users without knowing their email addresses. As reported by TechCrunch, victims only had to visit a specially crafted web site while being logged into their Google account.
Apparently, the hole could even be exploited while in Private Browsing mode, which doesn't usually give access to a user's cookies. The vulnerability allowed emails with arbitrary subject lines and message bodies to be sent from the email address firstname.lastname@example.org. As the emails included an authentic header, it was virtually impossible for users to distinguish them from an authentic email sent by Google.
The hole was discovered by a 21-year-old Armenian, Vahe G., who made his demo exploit freely accessible on Google's Blogspot / Blogger service. Google shut the blog down shortly after the exploit was reported and confirmed the problem in an email to TechCrunch. Google says that the hole in its Apps Script API has now been traced and fixed.