Google has hurriedly fixed a gaping hole in its Web page removal request tool after outsiders discovered they could traverse up the directory root, browse folders and find weak database passwords.
Apparently it is a simple directory that wasn't protected, so we can traverse up their directory root and browse folders. A study gave me the impression this hole is unique, legit and not a honey pot. Now it can happen the best of the best that a directory becomes readable. But, one must never, ever, not in a million years, store your database connection info in a folder that can be viewed remotely. Like the www folder.
And it looks like Google has a password-strength problem:
What strikes me most is that they log in as root user and second the utter simplicity of the used passwords: 6 chars long 4 digits and two letters in the first one. A little ironic regarding Google's advisory on password strength.