InfoSecBulletin Cybersecurity for mankind
A security expert called brutecat shared how an AI-based testing system found over $500,000 in weak spots in Google’s systems in less than three months. This revealed big access control problems in about 1,500 APIs.
The researcher started by focusing on Google’s documents that show how to use their API, which are like Swagger docs. These documents list all the available endpoints, parameters, and methods. Some of these documents are open to the public for APIs like the YouTube Data API, but many are for Google’s internal APIs and need a valid API key to access.
Using AI, Researcher Hacks Google and Earns $500,000 Bug Bounty
Chrome 149 fixes 28 flaws, including critical UAF bugs
Dahua patches multiple critical vulnerabilities in its products
South Korea fines Coupang Record $409 mln fine for data leak
ShinyHunters claim stolen data from 100+ org via oracle PeopleSoft servers
Security Update: RoguePlanet, BitLocker Bypass, Chromium Zero-Day, and More Critical Threats Uncovered
73 Microsoft Packages Compromised in Password Stealer Attack
New Windows Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges
Microsoft June Patches 200 Vulnerabilities including 3 zero days
World’s first wind power underwater data center is now live
Accessing most of them needs valid API keys, so the researcher and his partner, Michael Dalton, gathered these keys in large amounts. They collected more than 60,000 Android APKs, unencrypted iOS files, and created a Chrome extension to capture data from over 2,800 Google web domains, ending up with about 3,600 keys.
Many keys have several APIs turned on in their Google Cloud project, which gave this access a wide range. To follow Google’s rules, the team removed non-Google keys using a Cloud Marketplace tool that connects a project number to its owner.
They then bypassed the removed discovery paths, abused visibility labels like GOOGLE_INTERNAL to reveal hidden endpoints, and reverse-engineered Google’s proprietary First Party Authentication (FPA v2) after sourcemaps briefly leaked the relevant frontend library.
After gathering over 1,500 discovery documents from Google APIs, including hidden endpoints revealed by special GOOGLE_INTERNAL labels, the researcher created a custom API Explorer. This tool can read any discovery document and run authorized requests from the user’s side.
The researcher set up Claude AI as an automatic testing tool. They loaded it with special tools — probe_api, report_vulnerability, and confirm_testing_complete to check every endpoint for weak access controls and IDOR (Insecure Direct Object Reference) issues.
The system was improved over a month with ongoing changes to prompts. Important upgrades were group-based endpoint classification, multi-key probing that sent the same request using all known API keys, and a way to change difficult Google API error messages into clear labels. After these upgrades, the AI’s reporting accuracy for vulnerabilities went over 50%, making manual checks quicker and easier.
Among the most severe findings was a complete lack of access controls on gfibervoice-pa.googleapis.com, a Google Voice and Google Fiber management API.
With a single unauthenticated curl command supplying only a victim’s Gaia ID, an attacker could retrieve full PII including the victim’s Google Voice number and account recovery phone number.
More dangerously, the API also allowed an attacker to assign any phone number to a victim’s Google account without authorization, with the number appearing under the victim’s verified phones at myaccount.google.com/phone .
This created a chance for account takeover (ATO) and SIM-swap attacks. Google marked this issue as P0/S0, the worst level of danger, and fixed it quickly, giving $20,000 for this one discovery. All problems were reported carefully through Google’s VRP program. Overall, the AI-supported research found problems in many internal Google APIs, earning the researcher $500,000 in rewards in less than 90 days.
ShinyHunters claim stolen data from 100+ org via oracle PeopleSoft servers
