The flaw could be exploited whether or not the user was browsing in Google Chrome's Incognito mode. Thankfully, Vahe simply e-mailed the users to warn them of the flaw, even though he could have sent spam (with or without malware) to the list of e-mail addresses he amassed. Since it appeared as if the e-mail originated from Google, users would have been much more likely to click whatever link was included in the spam message.
"We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account," a Google spokesperson said in a statement. "We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to email@example.com."