[oogetyboogety]

Would like to know your results if you submitted this to the bug bounty program. Maybe put that at the top?

[asdfasgasdgasdg]

This type of attack is already known, so it wouldn't be eligible for any kind of bounty. It is why Google is switching to disallowing auth from embedded browsers, and only allowing known-good + standards-compliant browsers to do auth instead.

[ffpip]

These type of attacks are already known and out of scope for the bounty.

Users giving their password on random popups asking for it is not something google can control.

[md_]

Is it a bug?

Arguably, everything here is working as intended.