[crazygringo]

Google does have a security review process on literally everything it launches.

Which is what makes this so notable. Did the security review not catch this, or did they choose to launch anyways because it was too hard to fix and speed was of the essence?

[nitwit005]

I'd expect the security team to realize what the code is treating as a secret isn't actually secret.

But there's a second insight that seems tough for a security review to catch. You have to realize that even though you can't do anything obviously malicious with the API, there is a billing problem.

[mdavidn]

When a cross-cutting team is responsible for something, it's no longer the product team's problem: Architecture, infrastructure, CI/CD, QA, load testing, security...

[sublimefire]

Have you been on these reviews? The idea that the review will catch a misuse of the key generation infrastructure is a bit over the top.

[gowld]

Maybe the experienced security reviewers were laid off.