Comment by kevindamm

I wouldn't really call this a bug, more like an unfortunate side effect of combining these particular components: domain names that can change ownership, BYO email (as backup email & email provenance), the liberal allowance of plus-aliases (which I'm sure someone somewhere is claiming a business need or they would have killed it long ago), and service implementers not reading the documentation (or largely copying solutions from a video or example with cut corners for brevity/simplicity, likely to facilitate its easy consumption).

If I were designing a circuit with a few PCB components and needed to introduce resistors and transistors as appropriate for the voltage and current needs of the device .. would you expect me to read the data sheet or just guess it from a simpler example and run with it? In a lot of cases the circuit would still work, or it would after a few bench tests and a bit of probing. But maybe it wouldn't be as efficient and a component would short out leading to low MTF and sad customers. Worst case scenario maybe combusting batteries and real harm. Now ask yourself, is it really the PCB modules' manufacturers fault that the device fails prematurely? Or is the device manufacturer the one responsible for reading the data sheet?

I don't typically hold all software to such rigorous expectations but when it deals with authentication and authorization I would expect service owners to be thorough.

TFA even says that the issue doesn't exist if the docs are followed. Alphabet did at least acknowledge there's a weakness there by granting the bounty, maybe they'll provide some controls for company administrators to allowlist/rejectlist plus-aliases or nonexistent roles, or maybe restrict the migration of Apps-affiliated emails to non-org claims? (My guess is they're measuring the impact of this, or prioritizing the measurement of impact, where priority is low because it is a problem with clients that assume email claims are more authoritative and permanent than they actually are).

I suppose the definition of "bug" depends a lot on the definition of "expected" and who's expecting, but I would assert it is not a deviation from intended behavior, at least, and not unexpected to those who grokked the docs.