Google has plugged a vulnerability in its Gmail service that could allow an attacker to gather email addresses from a user's account and possibly gain access to the account.

A blogger by the name of 'Anthony', who claims on his blog to be 14 years old, accidentally stumbled on the flaw when he was mailing some JavaScript to his Gmail account from an outside email address. 

When he opened the message in Gmail, the service executed the script. " Apparently JavaScript will run if it is within the preview of the message," Anthony wrote on his blog. 

Google confirmed the vulnerability in an email to vnunet.com. "We learned of a minor security flaw in Gmail a little while ago and worked quickly to fix the problem, which has now been resolved," wrote Google spokeswoman Sonya Borälv. 

Google criticised the blogger for publicly disclosing details about the flaw before notifying the company.

"We encourage all vulnerability reporters to follow responsible disclosure practices and notify vendors first before making the vulnerability public," said Borälv.

The blog posting went up on Wednesday at around noon. Google had updated and patched its service about three hours later.