By altering the "From" address field of an e-mail sent to the service, hackers could potentially find out a user's personal information, including passwords.
At first glance, to the average user the e-mail would appear normal. But by clicking "show options" within the Gmail interface, the "Reply-To" field will show HTML code that is actually a formatted version of another user's e-mail, HBX wrote on its Web site.
Well really these mistakes are pretty easy to make. How many forums are there out there that still have a way of inserting arbitrary HTML? A lot. And XSS expoits are rampant. Fact is humans just do not think of everything.