I stole the data in millions of people’s Google accounts

Can the title be altered to contain the truth? (That this is a hypothetical scenario, and no data has been stolen.) The article is a bait and switch but that doesn't mean HN should do the same. Changing "stole" to "could steal" would work.

I think that these days it is safe to assume that one could always be locked out of their google account for whatever reason. It is best practice to simply create a local account with whatever app&#x2F;service that one wants to use.<p>I personally use an email with a custom domain which I pay for so I am relatively secure of keeping access to my email address. Moreover, I use a local password manager to store all my passwords. This setup is a bit of a pain but it is also liberating as I am not at the mercy of any third party when I am transacting with a service.

And sometimes they ask for &quot;Sign in with Google&quot;, you say yes, and then they still try to make you create a unique password.

This was flagged for clickbait a day ago<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25717156" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25717156</a><p>It&#x27;s the exact same article by the same author.

I don&#x27;t get this:<p>&gt; Nothing I did would technically be considered an ‘exploit’<p>Erm, yes it can? It&#x27;s exploiting a glaring vulnerability in Google&#x27;s auth flow, or at the very least a dodgy way to expose master tokens.

I&#x27;m always suspicious when I click &quot;Sign in with X&quot; and it prompts me to enter details. Normally I would already by logged in. But not always, for instance I mostly use Firefox on my phone, and those sessions aren&#x27;t shared with webviews. So one can never know.<p>There&#x27;s really nothing stopping anyone from making an entirely fake &quot;Sign in with X&quot; popup and people would believe it (me included), I think teaching people to give away their Google, FB, GH etc credentials on random pages is scary.

&quot;Sign in to X with Y&quot; is a terrible idea all around. Even if X does not get access your Y account, Y definitely has access to your account in X.

It&#x27;s amusing to see a (valid, IMO) security issue with Google being continuously flagged as clickbait because of how the article is written.

So weaponise it and get your money from the bug bounty programme. Put up or shut up. ;)

what a world, where you can proudly announce you tricked million of people into sharing their private information without any consequences<p>EDIT: i should believe where he said he didn&#x27;t do it, not whee he said he did it