Researchers at cybersecurity firm Varonis Threat Labs discovered a significant vulnerability within an internal, AI-powered coding tool used by Google employees. The flaw, which Varonis named ‘Antigravity’, allowed for arbitrary code execution on the workstations of Google developers.

Vulnerability Details and Discovery

The ‘Antigravity’ vulnerability was identified in the update mechanism of an AI coding assistant that is not available to the public. According to Varonis, the flaw permitted an attacker to manipulate the tool’s update process. By doing so, an attacker could execute malicious code on a developer’s machine, a technique that could lead to unauthorized access to the system.

Impact and Resolution

Successful exploitation of the ‘Antigravity’ flaw would grant an attacker control over a Google developer’s workstation. This access could potentially expose sensitive information, including Google’s source code, internal infrastructure, and access to other internal services. Varonis followed responsible disclosure protocols by reporting its findings to Google’s Vulnerability Reward Program.

Google acknowledged the vulnerability report from Varonis and subsequently patched the flaw. A statement from Google confirmed that the issue was fixed and that their investigation found no evidence that the vulnerability had been exploited by malicious actors.