The people at Google probably know as much about exploits and hacking as anyone, so why would they release an application that has more holes than a thousand golf courses? Unbelievably, this application has practically every vulnerability known to man: cross-site scripting, path traversal, code execution, input spoofing, and denial of service, just to name a few. Google not only admits that the app is inherently insecure, they're bragging about it. That's because this app, named "Jarlsburg", is meant by Google as a way for people to learn about vulnerabilities by inviting people to hack it.
Google's tricky online tutorial for web developers includes a server which contains classic vulnerabilities for them to exploit. The tutorial has two parts: an intentionally unsafe mini-blog web application, and a guide on how to find some of the vulnerabilities in the app.
Produced by Google Code University, the guide has sections on cross-site scripting, path traversal, code execution and denial of service. It provides hints to students on how to craft exploits, and in case the students can't figure it out, the end of each section gives the budding hackers answers and suggestions on how they might improve their technique.
The Jarlsburg app and source code is available on line, and Google's Jarlsberg server is available on Google's App Engine. It can also be downloaded and run locally. No real analysis of the source code is necessary to find the vulnerabilities, they're there for all to see.
Kudos to Google for providing educational information like this, which in the end will (hopefully) make the web a safe place for everyone.