You know, just when I think I’m being a super nice guy, and I go out of my way to go through responsible disclosure, I am slapped in the face with the exact reason why I don’t think responsible disclosure works for some companies. Certain companies I have worked with are ultra responsive, understand risks, and do their absolute best to combat anything that may be used to harm them or their consumers. Then there’s Google:
If I misunderstood the report in any way, please don’t hesitate to correct me. For the moment, though, I’m closing this issue. Thanks for sending this over.
The Google Team
So for anyone interested in exploiting this non-bug, they would tell people to add their own modules, which are hijacked, of course, allowing them to take over other people’s websites when they embedded the erroneous third party code. Kinda nasty. Unlikely, but nasty. More likely it would simply be in phishing sites that didn’t want their sites taken down, but wanted Google’s to be taken down instead. For the record, this is not the first time I have responsibly disclosed issues to Google, and this is the third time they have said what I reported was either not a bug or too hard to fix. So much for using responsible disclosure with Google. Ugh.