'High impact' Gmail password security hole blew accounts wide open
Google has fixed a "high impact" security bug in Gmail's password reset system that could have left any account wide open to a crafty hijacker.
The flaw, spotted by security researcher Oren Hafif, was exploited by sending a spoofed email that reminds the Gmail user that it's time to reset their password. Clicking on the link sends the user to a website that masquerades as a Google page and asks for the user for a new password. That hacker-controlled site also initiates a cross-site request forgery attack via XSS that tricks Google into handing over the victim's login cookie.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump