Google API Auth/Access is extremely tedious, so I guess someone just didn't bother. Basically you have to get an token, format it, make a couple of http posts, and finally you will have a token to make an access-token-token ... Now image all the steps you would have to make to create a new type of access to some internal API, that should not have public access anyway. Probably saved six months work. And the libraries are probably hiding all the obscurity so no-one did notice until this guy started digging.
Sounds plausible. Now I’m curious how much extra work this finding has caused teams at Google. There are probably many other similar insecure paths that need to be cleaned up.
