A serious vulnerability in the password reset process of Google account allows an attacker to hijack any account. Researchers Oren Hafif demonstrated the feasibility of a common spear-phishing attack relying on a number of flaws including Cross-site request forgery (CSRF) and cross-site scripting (XSS) The attackers site performs a CSRF with the customized email address, and once completed launches the XSS exploit. The user clicks Reset Password and then will ask to reset his password.”]
Source: http://securityaffairs.co/wordpress/19892/hacking/hacking-google-gmail.html