"This exploit enables continuous access to Google services, even after a user’s password is reset"

"Exploiting Undocumented OAuth2 Functionality for session hijacking"

https://www.independent.co.uk/tech/google-account-password-hack-b2475384.html