This is insane. I was reading up on the "advanced protection program", cited as the only mitigation currently available to prevent this exploit.

But it's got some enormous downsides! The only apps you're allowed to install are signed ones from the Play store; you have to use a passkey for all things Google; and that Chrome is the only supported browser for logging in.

Google, fix this attack vector!

Also, is there a CVE assigned to this exploit already?