A security researcher has uncovered what Google has described as a "high impact" bug in its account recovery process, which could have potentially allowed hackers to trick users into handing over their passwords.