First, Happy 2007 to all.
You can find the explanation of the flaw here.
Basically, Google docs has a script that run a callback function, passing it your contact list as an object. The script presumably checks a cookie to ensure you are logged into a Google account before handing over the list.
Unfortunately, it doesn’t check what page is making the request. So, if you are logged in on window 1, window 2 (an evil site) can make the function call and get the contact list as an object. Since you are logged in somewhere, your cookie is valid and the request goes through.
Also, if you check the object that is returned, you see fields for the contact’s name, email and “affinity”. Presumably, a higher affinity means a more-emailed contact, so it may be possible to know the relative importance of your contacts.
Apparently, this is a CSRF/XSRF(Cross Site Request Forgery) atatck.
CSRF is a relatively unknown type of attack on a website, because it can be tricky to pull off. But this obscurity means that far more sites are vulnerable. In addition CSRF has all the potential of XSS so it is a powerful foe.
Joe Walker@DWR has written a detailed explanation on CSRF attacks and how to protect your applications from such attacks.