Friday , July 3 2026
Google

Using AI, Researcher Hacks Google and Earns $500,000 Bug Bounty

A security expert called brutecat shared how an AI-based testing system found over $500,000 in weak spots in Google’s systems in less than three months. This revealed big access control problems in about 1,500 APIs.

The researcher started by focusing on Google’s documents that show how to use their API, which are like Swagger docs. These documents list all the available endpoints, parameters, and methods. Some of these documents are open to the public for APIs like the YouTube Data API, but many are for Google’s internal APIs and need a valid API key to access.

Nepal Unveils First “Hall of Fame” for Ethical Hackers

Nepal has started a 'Hall of Fame' program to honor cybersecurity researchers who safely report security flaws in government digital...
Read More
Nepal Unveils First “Hall of Fame” for Ethical Hackers

900+ Oracle E-Business instances Exposed Online

The Shadowserver Foundation found about 950 Oracle E-Business Suite (EBS) systems on the internet around the world. This discovery came...
Read More
900+ Oracle E-Business instances Exposed Online

India asks WhatsApp not to roll out ‘username’ feature over fraud concerns

The Indian government issued a notice WhatsApp planned to roll out its new 'username' feature. They are worried about fake...
Read More
India asks WhatsApp not to roll out ‘username’ feature over fraud concerns

Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

Cybersecurity researchers have warned of a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface (CLI), compromising...
Read More
Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

Chrome Update Patches 382 Vulnerabilities, Including 15 Critical

Chrome 151 has a new update that fixes 382 security problems. This includes 15 critical issues that could allow attackers...
Read More
Chrome Update Patches 382 Vulnerabilities, Including 15 Critical

Apple fixes more than 30 iOS, macOS, and Safari flaws

Apple released security updates on Monday for iOS, macOS, and Safari. These updates fix more than thirty issues, including four...
Read More
Apple fixes more than 30 iOS, macOS, and Safari flaws

Attackers exploit critical flaw in Oracle E-Business

Attackers are now using a flaw (called CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial app, according to the security...
Read More
Attackers exploit critical flaw in Oracle E-Business

WhatsApp to allow usernames instead of phone numbers

WhatsApp is about to release a big update that may change how people communicate on the app. Soon, users can...
Read More
WhatsApp to allow usernames instead of phone numbers

Linux Unveils New Open Source Security Project “Akrites” For (OSS) Ecosystem

The Linux Foundation said on Thursday that they are starting a new project to fix flaws in open source software...
Read More
Linux Unveils New Open Source Security Project “Akrites” For (OSS) Ecosystem

Data breach affects 14.2 million email logins across six ISPs

KDDI Corporation, a Japanese telecom company, revealed a data breach. Hackers got into one of its email systems that five...
Read More
Data breach affects 14.2 million email logins across six ISPs

Accessing most of them needs valid API keys, so the researcher and his partner, Michael Dalton, gathered these keys in large amounts. They collected more than 60,000 Android APKs, unencrypted iOS files, and created a Chrome extension to capture data from over 2,800 Google web domains, ending up with about 3,600 keys.

Many keys have several APIs turned on in their Google Cloud project, which gave this access a wide range. To follow Google’s rules, the team removed non-Google keys using a Cloud Marketplace tool that connects a project number to its owner.

They then bypassed the removed discovery paths, abused visibility labels like GOOGLE_INTERNAL to reveal hidden endpoints, and reverse-engineered Google’s proprietary First Party Authentication (FPA v2) after sourcemaps briefly leaked the relevant frontend library.

After gathering over 1,500 discovery documents from Google APIs, including hidden endpoints revealed by special GOOGLE_INTERNAL labels, the researcher created a custom API Explorer. This tool can read any discovery document and run authorized requests from the user’s side.

The researcher set up Claude AI as an automatic testing tool. They loaded it with special tools — probe_api, report_vulnerability, and confirm_testing_complete to check every endpoint for weak access controls and IDOR (Insecure Direct Object Reference) issues.

The system was improved over a month with ongoing changes to prompts. Important upgrades were group-based endpoint classification, multi-key probing that sent the same request using all known API keys, and a way to change difficult Google API error messages into clear labels. After these upgrades, the AI’s reporting accuracy for vulnerabilities went over 50%, making manual checks quicker and easier.

Among the most severe findings was a complete lack of access controls on gfibervoice-pa.googleapis.com, a Google Voice and Google Fiber management API.


With a single unauthenticated curl command supplying only a victim’s Gaia ID, an attacker could retrieve full PII including the victim’s Google Voice number and account recovery phone number.

More dangerously, the API also allowed an attacker to assign any phone number to a victim’s Google account without authorization, with the number appearing under the victim’s verified phones at myaccount.google.com/phone .

This created a chance for account takeover (ATO) and SIM-swap attacks. Google marked this issue as P0/S0, the worst level of danger, and fixed it quickly, giving $20,000 for this one discovery. All problems were reported carefully through Google’s VRP program. Overall, the AI-supported research found problems in many internal Google APIs, earning the researcher $500,000 in rewards in less than 90 days.

ShinyHunters claim stolen data from 100+ org via oracle PeopleSoft servers

Check Also

Mythos

Anthropic’s Mythos reportedly broke NSA classified systems in hours

The recent finding shows how powerful Mythos is: the AI can access the US government’s …