Gervase Markham points to an interesting AJAX attack on Gmail. It’s an interesting read and is explained quite simply. It sounds like something which could be quite common in "AJAX" (I really hate that term) applications especially with things such as JSON.