top | item 47166901

(no title)

Google does have a security review process on literally everything it launches.

Which is what makes this so notable. Did the security review not catch this, or did they choose to launch anyways because it was too hard to fix and speed was of the essence?

discuss

nitwit005|3 days ago

I'd expect the security team to realize what the code is treating as a secret isn't actually secret.

But there's a second insight that seems tough for a security review to catch. You have to realize that even though you can't do anything obviously malicious with the API, there is a billing problem.

mdavidn|2 days ago

When a cross-cutting team is responsible for something, it's no longer the product team's problem: Architecture, infrastructure, CI/CD, QA, load testing, security...

sublimefire|3 days ago

Have you been on these reviews? The idea that the review will catch a misuse of the key generation infrastructure is a bit over the top.

gowld|3 days ago

Maybe the experienced security reviewers were laid off.