When logged in to gmail, if you visit an external and malicious site, that site can attempt to guess and change your gmail password.
According to ycominator news and this page, gmail aren’t going to fix this problem. They could fix it by preventing GET requests to the password changer, and/or by ensuring there’s a capcha between the user/attacker and password changer (although capchas would only limit the attack).
An attacker could do the same with POST requests, but it’s much easier to send GET requests than POST: in a web browser, you need to submit HTML forms to send POST requests, which is an extra hurdle for the attacker.
Anyway, ensure you log out of gmail, and don’t visit strange sites — or familiar site which have been hacked… — while you are logged in to gmail.
