Google has replied that the vulnerability has since been fixed. However, Israeli security researcher Nir Goldshlager, who provided proof-of-concept exploits of the cross-site scripting scenarios to Google, warned that information from stolen cookies can be used even if the password is changed.
"The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he wants, and it still won't stop the hacker from using his box," Goldshlager said.