Where do you start looking for vulnerabilities when you think about security of a web service?
As the guys at detectify.com laid out in more detail (and with a great example) many bugs lurk in seldom used and/or very old parts of the system. The idea behind this is as simple as effective. Old sections are usually not under scrutiny once they’ve proven to work.
If some new attack is discovered there quite a good chance for the old and rarely used sections to be forgotten.
And every now and then this comes around to bite you. This is what allowed read access to a Google server, as described in the link above.