Creating a bogus @google.com address using one bug, and then getting rights to access the details of all (most?) bugs in the system.
There's a funny thing where for most software vulnerabilities a writeup like this can explain exactly what happened why. But then for web-based services all you see is a bug that looks totally braindead. It's user accounts! how hard can that possibly be?
I work on stuff related to security of account systems at the moment; turns out that just like in every other area of modern computing, it's incredibly complicated.
You've forgot the PIN and passphrase of your hardware bitcoin wallet. Must be out of luck, those things can't possibly have trivial vulnerabilities. I mean, surely those sophisticated cryptocurrency enthusiasts would be able to spot the snakeoil a mile away. Oh... No?
Rewriting the Xen control plane to optimize the boot time of thousands of tiny VMs. Benchmarked against Docker, which seems just absurdly bad at this one.
(Not impressed by the numbers outside of booting with regard to "lightness". E.g. the throughput and scaling numbers for the personal firewall application are just miserable.)