We have done a little investigating on this issue with our toolkit, to see the impact, if any.
The kicker would be to get the auth token they'd need to hijack the domain/site that mail is hosed on since the browser will only send to the site where the cookie was set.
There's really only one way to get the auth token-
You need a authorized username and password.
If your site is hijacked, I think you have bigger worries, then just the toolkit
