It’s not so much a security issue as a privacy issue, but Google fixed it none the less. The Google AppEngine API allows sites to get the user’s email address, and if the user had logged in to another Google service AppEngine would do so with out prompting them to log in again free CV.
Once you had the user logged in you could pass that information to another site through a lot of methods.
user = users.get_current_user()
self.response.headers[‘Content-Type’] = ‘text/plain’
Google has patched the whole now requiring pages that use the get_current_user api to be re-authenticated. The code still works… but the user is no longer automatically authenticated free ringtone iphone.