I was interested in this, as I have been looking at how "news" is disseminated. Most of it is "spun" by commercially involved parties to lazy journalists who like a "scare" story. Interestingly this story is genuine, rather than manufactured "scare" stuff.
1. Who on earth are "INSERT". These sorts of groups are usually industry PR operations to scare the hell out of the readers. This lot appear genuine "Information Security Research Team (INSERT), a joint research group effort of the University of Puerto Rico at Mayaguez (USA) and the State University of Ceara (Brazil).
2. They have a good update on it here [ece.uprm.edu]
"Due to the unexpected media impact of our report on Gmail's recently found flaw, we felt inclined to give a little update on the issue.
As of 3:00 PM (GMT -0400) today, the flaw we have reported remains unpatched and exploitable. We have ran a new experiment where we were able to use our attack to send 2,000 messages using one Gmail account.
We would like to clarify to the security community that we have contacted Google about the issue more than a week ago and no response was provided despite our clear intent of cooperation regarding this matter. "
Sort of worrying that Google stick their head in the sand and don't even reply to academics who apparently do not have an axe to grind.
They tell the whole story including what they have done, how they did it, and the scale of it. It appears to actually be a lot more than a "scare story".