When a user pronounces the words “a capo” (Italian equivalent of the English “new line”, “new paragraph”) an unspecified Google Assistant App translates this as the control character \n, interpreting the phrase as if the user had pressed the Enter key, to submit the input.
Ok Google! Do you like to process empty input? Yes! So instead of hearing a password for the app, Google Assistant is tricked into falling to the apps "Default Intent" which provides access to the apps main menu. From there, the attacker can access any functionality for any user. Nice! The security researcher that found and responsibly reported it to Google did NOT get any credit or reward although Google did eventually fix it here after back tracking from saying it was a "no fix".