It sounds like a bad proxy cache is serving someone else's content to him. I'm just guessing, but I've seen it happen before (with both Gmail and FriendFeed).

I've had the same thing happen with Google calendar. (Later, randomly, I happened to meet socially the guy whose calendar I was mistakenly allowed to read. That was weird.)

Gmail serves its content via HTTPS, which isn't (statefully) proxyable or cachable by design. The explanation from Google makes no sense. If they're serving readable/unencrypted content to anything but the end user's web browser then they have a serious security flaw.

It's not really fair to you, but it's funny to see someone from the interwebs telling Paul how Gmail works.

Unless you force it over to HTTPS or use an extension, it still uses plain ol' HTTP after authentication.

I never understood why that was. I use https://mail.google.com to login and it sticks with https.

That's what he means by "forcing it" - if you specifically type https://mail.google.com/ Gmail will encrypt the entire session; if you just go to http://mail.google.com/ or (more commonly) www.gmail.com it uses SSL for authentication, then switches you back to unencrypted HTTP for the rest of your session.

His screenshot clearly shows that he's accessing Gmail over HTTP http://neosmart.net/blog/wp-content/uploads/gmailsecuritylea...

This headline jumps to premature conclusions; he saw something weird but there's no confirmation yet that it's a Gmail-specific vulnerability.

In particular, it could be a problem with a misbehaving cache closer to him. (Note especially: in his second screenshot, he's in "Basic HTML" mode. In both screenshots, he's using plain 'http' not 'https' connections.)

It's possible it's Google's fault, but to broadcast that impression without further investigation is unfair to readers -- it's stealing attention with trumped-up claims.