TidBITS reports on a malicious e-mail

[...] that appeared to be an invitation from a known correspondent to join a Google Doc. However, the linked Web page requested that you grant access to an app that looked like Google Docs, but was instead an app that sent spam to people in your contact list.

According to Google, "no other data was exposed" besides the contact lists and the attack was stopped after about an hour, with "fewer than 0.1 percent" of Google Mail (Gmail) users affected.

This Motherboard article says the attacker was able to use OAuth to impersonate Google. A security researcher says

[...] he warned Google directly about this vulnerability in 2012, and suggested that Google address it by checking to [...] ensure the name of any given app matched the URL of the company behind it.

