It looks like Davenum has found the first security hole in Android, a quote from the comments:

I’ve tested your code and it seems that content://googleaccounts/accounts/ returns login and hashed password, however content://settings/googlelogin returns login and password in plain text, so basically any application can read your account settings.

The problem seems to be that login/password are stored unencrypted in \settings\googlelogin. More on this issue and POC code is available on Davenum's blog.