[ I really didn't want to write about this, but because many news sites (Slashdot, Digg) already talk about this, it can't bring too much trouble. ]
Do you remember the post about the XML that contained your Gmail contact list? Well, Haochi from Googlified discovered that by adding "out=js" at the end of that URL, you can get the same data in JavaScript format. Even more, if you add "callback=name", you get a JavaScript code that can be used in any web site. This thing has a name: JSON and it's a very practical way of importing data into a JavaScript application. The problem here is that anyone can import your Gmail contact list (if you are logged in) and send it to a server.
The JavaScript file is used by Google to make it easy to send videos to your contacts in Google Video, to invite people in Google Spreadsheets and Google Notebook. So it's not a bug in Gmail, they just exposed some data in a wrong way.
Google can fix this in many ways and will certainly fix it. Until then, it's a good idea to sign out of Gmail when you're not using it.
Update (after a day): Google fixed the security vulnerability.