Google has plugged a flaw that could allow websites to strip the contact lists from the accounts of Gmail users. 

The feature was designed to look for information in a Gmail user's contact book, instead of using a browser's auto-complete function to choose an email address.

Proof-of-concept code posted online showed that a user who was logged into Gmail and who visited a site running specific JavaScript code could have their address book stolen.

The JavaScript function was supposed to open Gmail's address book to other applications, such as Google's video site and its online office products.

However, the attack would have allowed spammers to build up a list of email addresses very quickly.

Google blogger Haochi Chen, who spotted the flaw, said he only received automated texts back from the Google security team when he first contacted them.

"Finally, about an hour ago or so, Google has patched the vulnerability, thoroughly, as far as I can tell," he said. "That's like 30 hours after I notified the Google security team."

• Google Patent Search under fire
• Google granted US patent for 'similarity engine'