Apparently nobody mentioned it yet but TFA talks about the "timeline" and ends up saying that, two days before publicly reporting, Google did change something (after all, after saying for 6 months that the exploit was an expected behavior):
"2013/02/21: Fix is pushed by Google to prevent ASP-initiated sessions from accessing sensitive account interfaces."
So is that one particular hole describe in the article / blog fixed or not!?
"2013/02/21: Fix is pushed by Google to prevent ASP-initiated sessions from accessing sensitive account interfaces."
So is that one particular hole describe in the article / blog fixed or not!?