mask.of.sanity (1228908) writes "A still-active flaw has been discovered in Google Apps Engine that allows user sessions to be hijacked.
The researcher who discovered the flaw used the Cookie Cadger tool to hijack a session over an unprotected wireless network and was granted full admin access to the user's database.
The specific conditions under which the flaw exists were not revealed. It was a flaw only because Google forces its Apps Engine users onto encrypted HTTPS which prevents this type of interception."
Link to Original Source