I'm a bit surprised by the timeline which seems to say that:
- 6 weeks ago Google said they would fix it
- 3 weeks ago Google said they were working on it
...but we're publishing the info anyway, so everyone can go nuts with it.
I'm a bit surprised by the timeline which seems to say that:
- 6 weeks ago Google said they would fix it
- 3 weeks ago Google said they were working on it
...but we're publishing the info anyway, so everyone can go nuts with it.
That's the nature of disclosure deadlines. Talk is cheap. If they didn't disclose when they said they would, Google wouldn't feel any pressure to fix the issue.
It seemed like this was already being exploited online so it is responsible to disclose so people can protect themselves by revoking their keys. Bills near $100,000 are showing up for people.