This is according to security researchers Netcraft who posted their findings last Friday. According to them, the creation of the prank led to Google omitting a crucial header in their code that would have prevented hackers from clickjacking attacks. Without the code, it left it open for attack although thankfully it does not seem that hackers were aware or have taken advantage of it.
Netcraft writes, “A remote attacker could also have leveraged this “feature” to display the Google Search Settings page in an iframe on an external domain, and trick his victims into unwittingly changing those settings. A carefully constructed clickjacking attack could have gone unnoticed by each victim until it was too late and the settings had already been changed.” The researchers also reached out to Google who presumably has since addressed the issue. Close call, Google!