Had this been a session token the problem would have been less severe (session tokens won't be reused on the user's Gmail account for instance), easier to detect, and easier to mitigate once discovered.
Probably because of this:
> Hmm. Seems on par with the security of pretty much every angularjs site i've seen. Moving on.