I haven’t read the full article, but the headline is a bit strange.
There is a undocumented API which can be used to get a fresh authentication Cookie even when the old one is expired or the password has changed. So I would say google has either a bad designed API or a bug in the implementation. Of course as soon as this is some sort of public malware authors and other criminals use this. So why is it important that malware use this endpoint? Also why “abuse”, it’s looks not like this is a design which is fundamental so that you can’t prevent this kind of usage.
I haven’t read the full article, but the headline is a bit strange.
There is a undocumented API which can be used to get a fresh authentication Cookie even when the old one is expired or the password has changed. So I would say google has either a bad designed API or a bug in the implementation. Of course as soon as this is some sort of public malware authors and other criminals use this. So why is it important that malware use this endpoint? Also why “abuse”, it’s looks not like this is a design which is fundamental so that you can’t prevent this kind of usage.