“Thanks for your report on the GMail session-id-in-URL leak – nicely spotted! This affects a subset of people, so I’m glad you pointed it out. As you noted in your blog post, we’ve made sure this no longer appears in the URL. That’s issue #2 in your blog post. Unlike issue #2, issue #1 does not relate to any mail.google.com data.”

My response:-

issue1:- My Mistake, i did not see the hostname correctly. Yes, it may not have a direct impact on mail.google.com but an attacker could change the http response and thus present a victim with a login page which will submit the credentials to an attacker controlled website. This attack will be quite stealth and will fail the existence of https as the URL will say http://www.google.com. Further, i haven’t looked into what an attacker could do with cookies obtained via the http request. Not all cookies are marked secure, and i am not sure if the cookies not marked as secure can be used to obtain a secure cookie too or if they can used in google accounts etc. All in all, it may be worth fixing it.:)