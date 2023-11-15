The infoseccers say Google told them the weaknesses would not be addressed and won't receive any security fixes since they fall outside the company's threat model. Vulnerabilities that rely on compromised local machines, like those highlighted by Bitdefender today, aren't considered Google-specific bugs since a compromise through methods like malware should be covered by an organization's existing security controls.

Bitdefender says this shouldn't be taken lightly and the weaknesses highlighted in its research are potentially realistically exploitable. Threat actors often seek out and exploit these gaps in coverage," it says in its report.The attacks hinge on an organization's use of Google Credential Provider for Windows (GCPW), which offers mobile device management (MDM) and single sign-on (SSO) capabilities. When GCPW is installed on a machine, a local Google Accounts and ID Administration (GAIA) account is created, which has elevated privilege

