Google seem to have finally fixed the flaw sometime around 6am today, not bad only took them a little over 2 years, so good to know they’re responsive. Actually it seems from the logs that it made it into the google bug tracking system around 4pm yesterday, so 14 hours from then to fully rolled out is actually quite impressive, what’s not impressive is the failure of the firstname.lastname@example.org address and the lack of any phone numbers to contact them.
Google did eventually get in contact with me by email at around 7PM yesterday, 3 hours after they knew about it and an hour after the bugtraq posting they didn’t seem to be overly concerned and claimed “to be aware of the issue” combined with their lack of thanks of me drawing their attention to it suggests that it was actually a known bug they’d just neglected to fix. They said they’d look in to why my email@example.com emails failed to elicit a response, but seemed mostly concerned about getting me to take the exploit page down - I declined that request, it didn’t seem worthwhile as the exploit had by then been mentioned on lots of other sites, so it would’ve done nothing to aid security.
Hopefully Google will get in touch explain what went wrong with the communication of the issue, hopefully google will realise that a phone number of the security team on the web would also help (After trying to explain to Tesco customer support a few years back that there was a non SSL credit card collection problem and getting absolutely nowhere, I’m not going to call normal people with security issues, they don’t understand them) I don’t actually expect them to get back in touch though, they weren’t exactly friendly. Perhaps not surprising as to them it seemed I went public before informing them, but a trivial hole that’d been there for 2 years, I had to do something to get it fixed.