alt Hacker NewsGoogle does have a security review process on literally everything it launches.
Which is what makes this so notable. Did the security review not catch this, or did they choose to launch anyways because it was too hard to fix and speed was of the essence?
Replies
sublimefire • yesterday at 5:32 PM
Have you been on these reviews? The idea that the review will catch a misuse of the key generation infrastructure is a bit over the top.
gowld • yesterday at 7:53 PM
Maybe the experienced security reviewers were laid off.
I'd expect the security team to realize what the code is treating as a secret isn't actually secret.
But there's a second insight that seems tough for a security review to catch. You have to realize that even though you can't do anything obviously malicious with the API, there is a billing problem.