How Material Security Uncovered a Vulnerability in the Gmail API

Natasha and I uncovered a vulnerability in the Gmail API that allowed an attacker to pull attachments without authorization having the attachmentId.

You can read the blog post written by @Centurion.