Google's Gmail service suffers from security flaws that make it trivial for attackers to create authentic-looking spoof pages that steal users' login credentials, a security expert has demonstrated. Google Calendar and other sensitive Google services are susceptible to similar tampering.
A proof-of-concept (PoC) attack, published by Adrian Pastor of the GNUCitizen ethical hacking collective, exploits a weakness in the google.com domain that allows him to inject third-party content into Google pages. The result is this page, which allowed him (at time of writing, anyway) to display a fraudulent Gmail login page that displayed mail.google.com in the browser's address bar.
Link: The Register