I reported this to Google about the same time, in June last year, and got a similar response. Interestingly, I published some notes on the issue almost exactly one week before the duosecurity researchers 'discovered' it ;)

http://grkvlt.blogspot.co.uk/2012/08/google-tfa-security-iss...