Comment by KennyBlanken

> that has effectively no half-life once discovered

Google knew about this already, and hadn't done anything to fix it...and when it was reported, they didn't fully understand it and were dismissive, until the author came back at them again.

> Unmasking Google accounts? Could there be a business there? Sure, maybe

I'm pretty sure there are a _lot_ of youtube channels that private and public entities would love to uncover the identity of, and I would say that it's very unlikely these guys were the first to piece all this together.

The main takeaway for me is how incompetent Googlers seem to be, both in the basic "web application 101" mistakes made (not properly validating/restricting fields) and the clearly rushed evaluation of the security report. Such a report should trigger some folks going "oh, that's not good. I wonder what else is broken about this." Not "meh, not significant, quick patch, fixed."

Nobody at Google wants to work on stuff that isn't going to get them up a rung on the ladder.