AI Researcher Hacked Google, Earned $50 Using Bounty
Security researcher brutecat recently disclosed how an AI-driven fuzzing pipeline identified over $500,000 in vulnerabilities across Google’s infrastructure. In less than three months, this...
Security researcher brutecat recently disclosed how an AI-driven fuzzing pipeline identified over $500,000 in vulnerabilities across Google’s infrastructure. In less than three months, this advanced system uncovered systemic access-control failures embedded within approximately 1,500 APIs.
The researcher began by targeting Google’s discovery documents machine-readable API specifications, similar to Swagger docs, that list all available endpoints, parameters, and methods. While these documents are publicly available for APIs like the YouTube Data API, many exist for internal Google APIs and require valid API keys to access .
| Vulnerability | Affected Service | Bounty | CVE |
|---|---|---|---|
| Google Voice / Fiber account takeover — unauthenticated PII + recovery phone leak, arbitrary number assignment (P0/S0) | gfibervoice-pa.googleapis.com | $20,000 | — |
| AdExchange takeover — staging pointed at prod data, read accounts + add self as admin (2 issues) | adexchangebuyer | $30,000 | — |
| Eldar internal privacy-assessment API exposed publicly (rewarded x2) | eldar-pa.clients6.google.com | $26,674 | — |
| YouTube unlisted/private video ID leak via auto-generated Content ID assets | YouTube Content ID API | $12,000 | — |
| Widevine DRM takeover — leaked orgs, encryption keys, self-add to any org | alkaliwidevineintegrationconsole-pa | $16,004.40 | — |
PLX / DataHub — setIamPolicy self-grant as dataset owner, dump confidential YouTube data (2 issues) |
datahub (staging) | $12,000 | — |
| Nest device-owner deanonymization — sequential ID → Gaia ID, chained to email via Play Books license | nestauthproxyservice-pa | Not specified | — |
| Translation Hub — unauth ListOperations, cross-tenant read/write, GCS exfil (3 issues) | translationhub.googleapis.com | $36,500 | — |
| YouTube TV CMS — no access control on campaign CRUD, leaked CMS account emails | alkalitvfilm-pa | $24,000 | — |
| Vertex AI Search for Commerce — unauth read/write of intent-classification config (prompt injection) | retail.googleapis.com | $30,000 | — |
| Cloud Console GraphQL — App Engine request-log leak (no auth) | cloudconsole-pa (GAE_GRAPHQL) | $18,000 | CVE-2026-8934 |
| Cloud Console GraphQL — Vertex Assistant unauth session read/write | cloudconsole-pa (AIPLATFORM_GRAPHQL) | $30,000 | — |
| Cloud Console GraphQL — Google Maps Platform billing-credit + PII leak | cloudconsole-pa (GMP_GRAPHQL) | $12,000 | — |
Accessing most of them requires valid API keys, so the researcher and a collaborator, Michael Dalton, harvested credentials at scale. They scraped over 60,000 Android APKs, decrypted iOS binaries, and built a Chrome extension to intercept traffic across 2,800+ Google web domains, ultimately collecting around 3,600 keys.
Because a single key often has multiple APIs enabled on its Google Cloud project, this trove unlocked broad reach. To stay within Google’s program scope, the team filtered out non-Google keys using a Cloud Marketplace endpoint that resolves a project number to its owning domain.
They then bypassed the removed discovery paths, abused visibility labels like GOOGLE_INTERNAL to reveal hidden endpoints, and reverse-engineered Google’s proprietary First Party Authentication (FPA v2) after sourcemaps briefly leaked the relevant frontend library.
After collecting over 1,500 discovery documents from Google APIs, including hidden endpoints unlocked via undocumented GOOGLE_INTERNAL visibility labels, the researcher built a custom API Explorer capable of parsing any discovery document client-side and executing authenticated requests.
With the infrastructure in place, the researcher integrated Claude AI as an automated pentesting engine. The AI was given a set of custom tools — probe_api, report_vulnerability, and confirm_testing_complete to systematically test every endpoint for broken access controls and IDOR (Insecure Direct Object Reference) vulnerabilities.
The system was refined over a month through iterative prompt engineering. Key improvements included group-based endpoint classification, multi-key probing that automatically sent the same request across all known API keys, and standardized parsing of cryptic Google API error messages into human-readable labels. Once these improvements were in place, the AI’s vulnerability reporting accuracy exceeded 50%, making manual review fast and efficient .
Among the most severe findings was a complete lack of access controls on gfibervoice-pa.googleapis.com, a Google Voice and Google Fiber management API.
With a single unauthenticated curl command supplying only a victim’s Gaia ID, an attacker could retrieve full PII including the victim’s Google Voice number and account recovery phone number.
More dangerously, the API also allowed an attacker to assign any phone number to a victim’s Google account without authorization, with the number appearing under the victim’s verified phones at myaccount.google.com/phone .
This opened a path to potential account takeover (ATO) and SIM-swap-style attacks. Google rated this bug P0/S0, the highest possible severity and patched it within hours, awarding $20,000 for that single finding alone.
All vulnerabilities were reported responsibly through Google’s VRP program. In total, the AI-assisted research campaign uncovered bugs across dozens of internal Google APIs, collectively earning the researcher $500,000 in bounty payouts in under 90 days.
The research underscores a critical shift in offensive security: AI is no longer just a defensive tool in the right hands; it becomes a highly scalable vulnerability discovery engine capable of uncovering critical flaws in even the world’s most security-conscious organizations.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.