> The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token
Is this like the PayPal XSRF vulnerability where any issued XSRF token was considered valid regardless of the user trying to use it?
I’d expect Google to have some standard way to handle this stuff.