hi 
google security team


i found in your service website name:
URL=https://myactivity.google.com
specialy in javascript code name:
js1:angular-material.js
js2:material-history.js
html element :"<md-button flex></md-button>" "mdMenu"
vulnarability description: 
1-first open URL=https://myactivity.google.com
2-second go to delete recent activity 
3-finally the code product the "500 Internal Server Error" with this code :
-------------------------------------------------------------------------------------
!DOCTYPE html>\n<html lang=en>\n  <meta charset=utf-8>\n  <meta name=viewport content=\"initial-scale=1, minimum-scale=1, width=device-width\">\n  <title>Error 400 (Bad Request)!!1</title>\n  <style>\n    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}\n  </style>\n  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>\n  <p><b>400.</b> <ins>That’s an error.</ins>\n  <p>Your client has issued a malformed or illegal request.  <ins>That’s all we know.</ins>\n","status":400,"config":{"method":"GET","transformRequest":[null],"transformResponse":[null],"jsonpCallbackParam":"callback","url":"/history/js_gen_204?sig=AODP23YAAAAAWjkchh56UKGTrScoFA-TleXnxmFiM48L&error_type=3&error_msg=400&jsv=myactivity_20171212-0122_1","headers":{"Accept":"application/json, text/plain, */*"}},"statusText":"Bad Request"} undefined
-------------------------------------------------------------------------------------
4- this code" {"method":"GET","transformRequest":[null],"transformResponse":[null],"jsonpCallbackParam":"callback","url":"/history/js_gen_204?sig=AODP23YAAAAAWjkchh56UKGTrScoFA-TleXnxmFiM48L&error_type=3&error_msg=400&jsv=myactivity_20171212-0122_1" is the important for me because the request page from client and server is switched "GET" to "POST" .
5-finally this vulnerability issues make a hacker to implement many attack ddos attack sql injection and many types for webservers attacks.

thank you ,
Bilel Mathlouthi
from tunisia 
white hate hacker