"A trio of German security researchers from the University of
Ulm have looked into the question of whether it was possible to
launch an impersonation attack against Google services and started
our own analysis.
"The short answer is: Yes, it is possible, and it is quite easy
to do so. Further, the attack is not limited to Google Calendar and
Contacts, but is theoretically feasible with all Google services
using the ClientLogin authentication protocol for access to its
data APIs (application programming interface). In other words: We
are so hosed."