Sounds like a fun one to find. Good on him for digging around. I could totally see how this oversight would happen too, with the engineers working on a secure auth system but not thinking about a proxy or caching layer that might expose them.

It's intriguing though because it seems like the sort of thing Google is expressly focused on from a security standpoint. Essentially the problem here was that access was limited to Google's own network, but Google has repeatedly talked about how they no longer consider their own internal network secure. (See also: Anything about BeyondCorp.)

That being said, from the looks of this interface's channel-based settings, and the mention of YouTube TV, my guess is this is some classic telecom-industry hardware, and Google may have folks from the TV broadcasting industry working more heavily on this particular arm of the organization.

It doesn't much look like an interface Google itself designed, so they may be more limited in how they can lock it down.