A new Gmail vulnerability lets an attacker change a Gmail user s password, wage a denial-of-service attack on the account, or even access other Gmail users email. Google maintains that the flaw is not a major one because such an attack wouldn t be easy to pull off. An attacker can build a phony Web page that accepts requests for Gmail password changes, and then lets the attacker change the victims passwords without their knowing and evading CAPTCHA restrictions.
Source: https://threatpost.com/gmail-flaw-exposes-change-password-feature-030309/72365/