Here is a big one for the new year. A guy has found a vulnerability that enables web sites to obtain your gmail contacts list as long as you are logged in when you display the page.
Update: It seems to be partially fixed but let's be careful. My own confidence on these kind of hosted solution for the general public was not very high. This is not going to improve it.