Quote Originally Posted by Kaurhz View Post
1. The issue probably won't be fixed. That would require them to acknowledge the issue, and clearly they see sending a raw account ID (Even if only a 'segment' of that ID) from server to client as a perfectly reasonable -- and absolutely not utterly insecure -- manner of doing things.
Ever used a "Login with Google" button on some random website? Do you know what that website gets? A unique, internal account ID that Google has assigned to you. Details:
In technical terms, the login flow uses a protocol known as OpenID Connect. One the pieces of information the website eventually gains access to is a "sub" claim:
An identifier for the user, unique among all Google accounts and never reused. A Google account can have multiple email addresses at different points in time, but the sub value is never changed. Use sub within your application as the unique-identifier key for the user.

Sending out unique identifiers isn't inherently insecure. It's what that unique identifier can be used for or tied to that is potentially the problem.