The researcher, Imre Rad, detailed his findings in a post made public last week on GitHub. The issue was reported to Google in late September 2020 and it was confirmed by the tech giant. Rad decided to disclose the vulnerability due to Google’s failure to fix the issue and provide information on its progress.
Rad described it as an unpatched vulnerability, but Google says it has taken some steps to prevent the more dangerous exploitation scenarios. In addition, Google does not have a problem with researchers disclosing vulnerabilities after 90 days if the company hasn’t been able to patch them.