Google 说的对:

"Exploitation of this behavior requires that the victim run malicious code without review and that they disregard an explicit UI warning before doing so."“利用这种行为需要受害者在未进行审查的情况下运行恶意代码，并且无视事先显示的明确用户界面警告。”

确实门槛太高了，没啥意思。

Timeline

Jan 8, 2026: Reported the issue to Google Cloud VRP. On the same day, received the automatically generated acknowledgment email.

Jan 9, 2026: The report priority was updated from P2 to P1.

Jan 26, 2026: Google closed the report as "Intended Behavior" with the following message:

"Exploitation of this behavior requires that the victim run malicious code without review and that they disregard an explicit UI warning before doing so."