Google has plugged a vulnerability in its Gmail email service that could allow an attacker to gather email addresses from a users' account and possibly gain access to the account.

A blogger who goes by the name of Anthony and on his blog claims to be 14 years old accidentally stumbled upon the flaw when he was mailing some javascript to his Gmail account from an outside email address.

He found that when he opened the message in Gmail, the service would execute the actual script.

"Apparently javascript will run if it is withing the preview of the message, " Anthony wrote on his blog.

Google has confirmed the vulnerability.

"We learned of a minor security flaw in Gmail a little while ago and worked quickly to fix the problem, which has now been resolved," Google spokeswoman Sonya Borälv said.

The company criticized the blogger for choosing to publicly disclose details about the flaw before notifying the company.

"We encourage all vulnerability reporters to follow responsible disclosure practices and notify vendors first before making the vulnerability public," Borälv said.

The blog posting went up on Wednesday around noon. Google had updated and patched its service about 3 hours later.