Key Takeaways
- An AI‑driven fuzzing pipeline uncovered more than $500 000 in vulnerabilities across Google’s infrastructure in under three months.
- The campaign targeted over 1,500 internal and external APIs by harvesting discovery documents and ~3,600 API keys from Android APKs, iOS binaries, and web traffic.
- Researchers bypassed hidden endpoints using the undocumented GOOGLE_INTERNAL visibility label and reverse‑engineered Google’s proprietary First Party Authentication (FPA v2).
- A custom API Explorer combined with Claude AI acted as an automated pentesting engine, using tools such as
probe_api,report_vulnerability, andconfirm_testing_complete. - Iterative prompt engineering improved the AI’s accuracy past 50 %, enabling rapid manual review of findings.
- High‑impact bugs included unauthenticated PII leaks, arbitrary phone‑number assignment on Google Voice/Fiber, AdExchange takeover, Widevine DRM compromise, and multiple GraphQL‑based data exposures.
- All discoveries were reported responsibly through Google’s VRP, earning the researcher ≈ $500 k in bounties, with the most severe flaw rated P0/S0 and patched within hours.
- The work illustrates a paradigm shift: AI can serve as a scalable offensive security tool capable of finding critical flaws in even the most security‑conscious organizations.
Introduction and Scope of the Research
Security researcher brutecat disclosed how an AI‑powered fuzzing pipeline identified vulnerabilities worth over half a million dollars across Google’s suite of services in fewer than 90 days. The effort exposed systemic access‑control flaws hidden inside roughly 1,500 APIs, many of which were internal and not openly documented. By coupling large‑scale credential harvesting with automated testing, the researcher demonstrated that modern AI can dramatically increase the efficiency and reach of offensive security assessments against massive, well‑protected infrastructures.
Targeting Discovery Documents
The research began by fetching machine‑readable API specifications—similar to Swagger or OpenAPI documents—that list every endpoint, parameter, and method offered by a service. While some of these discovery files are public (e.g., for the YouTube Data API), many reside behind authentication and require a valid API key to retrieve. These documents served as the roadmap for the subsequent probing phase, providing a comprehensive map of the attack surface that would otherwise remain obscured.
Harvesting API Keys at Scale
To obtain the necessary keys, brutecat and collaborator Michael Dalton scraped more than 60,000 Android APKs, decrypted iOS binaries, and deployed a Chrome extension that intercepted traffic across 2,800+ Google‑owned web domains. This yielded roughly 3,600 distinct API keys. Because a single key often unlocks multiple APIs within its associated Google Cloud project, the collected set provided broad coverage. The team filtered out non‑Google keys by querying a Cloud Marketplace endpoint that maps a project number to its owning domain, ensuring all tested credentials fell within the scope of Google’s Vulnerability Reward Program (VRP).
Uncovering Hidden Endpoints
Many discovery paths had been deliberately removed from public view, but the researchers revealed them by abusing the undocumented GOOGLE_INTERNAL visibility label attached to certain endpoints. By sending requests that included this label, they forced the backend to return otherwise concealed routes. Additionally, a brief leak of sourcemaps exposed the frontend library implementing Google’s proprietary First Party Authentication (FPA v2), allowing the team to reverse‑engineer the authentication mechanism and craft valid signed requests for otherwise protected APIs.
Building a Custom API Explorer
With over 1,500 discovery documents in hand—including those unlocked via GOOGLE_INTERNAL—the researchers built a client‑side API Explorer capable of parsing any specification and executing authenticated requests automatically. The explorer normalized the varied Google API formats, handled pagination, and managed token refresh, providing a uniform interface for the subsequent AI‑driven testing stage. This tool eliminated the need for manual request crafting and ensured consistent coverage across the massive endpoint list.
Integrating Claude AI as Pentesting Engine
The core of the automation was a large language model (Claude) equipped with three custom tools: probe_api to send a request and capture the response, report_vulnerability to log findings with severity and evidence, and confirm_testing_complete to signal when an endpoint had been exhaustively checked. The AI was prompted to iterate over every endpoint, varying parameters, HTTP methods, and payloads while applying the tools to detect broken access controls and Insecure Direct Object Reference (IDOR) conditions. This setup turned the model into an autonomous pentester that could operate at scale without human intervention for each individual request.
Iterative Prompt Engineering and Accuracy Improvements
Initial runs produced a high false‑positive rate, prompting a month‑long refinement cycle. Key enhancements included: (1) grouping endpoints by functional similarity (e.g., all user‑management routes) to reuse successful probe patterns; (2) implementing multi‑key probing, where the same request was automatically replayed across all harvested API keys to catch key‑specific misconfigurations; and (3) creating a parser that translated Google’s often cryptic error messages into human‑readable labels (e.g., “permission denied” vs. “resource not found”). After these adjustments, the AI’s vulnerability reporting accuracy exceeded 50 %, drastically reducing the manual workload needed to validate each alert.
Severe Findings: Google Voice/Fiber API Takeover
Among the most critical discoveries was a total lack of authentication on gfibervoice-pa.googleapis.com, the backend for Google Voice and Google Fiber management. A single unauthenticated curl request supplying only a victim’s Gaia ID returned full personally identifiable information (PII), including the Google Voice number and the account recovery phone number. More alarmingly, the API allowed an attacker to assign any arbitrary phone number to the victim’s account, which then appeared under the victim’s verified phones at myaccount.google.com/phone. This flaw enabled potential account takeover and SIM‑swap style attacks. Google classified the issue as P0/S0 (highest severity), patched it within hours, and awarded a $20 000 bounty for the finding alone.
Other High‑Impact Vulnerabilities
The campaign uncovered numerous additional severe bugs:
- AdExchange takeover (
adexchangebuyer) – staging environment pointed at production data, permitting account reading and self‑addition as admin (2 issues, $30 000). - Eldar internal privacy‑assessment API (
eldar-pa.clients6.google.com) – exposed publicly, rewarded twice ($26 674). - YouTube Content ID API – leak of unlisted/private video IDs via auto‑generated assets ($12 000).
- Widevine DRM takeover (
alkaliwidevineintegrationconsole-pa) – exposure of organization IDs, encryption keys, and ability to self‑add to any org ($16 004.40). - PLX/DataHub (
datahubstaging) –setIamPolicyself‑grant as dataset owner, enabling dump of confidential YouTube data (2 issues, $12 000). - Nest device‑owner deanonymization (
nestauthproxyservice-pa) – sequential ID → Gaia ID → email chain via Play Books license (no bounty disclosed). - Translation Hub (
translationhub.googleapis.com) – unauthenticatedListOperations, cross‑tenant read/write, and Google Cloud Storage exfiltration (3 issues, $36 500). - YouTube TV CMS (
alkalitvfilm-pa) – missing access control on campaign CRUD, leaking CMS account emails ($24 000). - Vertex AI Search for Commerce (
retail.googleapis.com) – unauth read/write of intent‑classification config, enabling prompt injection ($30 000). - Cloud Console GraphQL – three distinct flaws: App Engine request‑log leak (
GAE_GRAPHQL, $18 000, CVE‑2026‑8934), Vertex Assistant session read/write (AIPLATFORM_GRAPHQL, $30 000), and Google Maps Platform billing‑credit + PII leak (GMP_GRAPHQL, $12 000).
Each of these vulnerabilities was responsibly submitted through Google’s VRP, with the researcher collecting cumulative bounties exceeding $500 000 in under three months.
Responsible Disclosure and Bounty Totals
All findings were reported promptly to Google’s Vulnerability Reward Program. The company acknowledged the severity of the issues, issued patches rapidly—sometimes within hours for the most critical flaws—and paid out the advertised bounties. The total payout approached half a million dollars, underscoring both the scale of the exposed attack surface and the effectiveness of the AI‑assisted methodology. The researcher’s success demonstrates that even organizations with mature security programs can harbor significant gaps when API discovery and authentication controls are not rigorously enforced.
Implications for Offensive Security
This case marks a clear evolution in how offensive security can be conducted: AI is no longer confined to defensive roles such as anomaly detection or malware classification. In the hands of skilled researchers, generative models paired with purpose‑built tooling become a scalable vulnerability discovery engine capable of probing thousands of endpoints, interpreting nuanced error responses, and prioritizing high‑impact findings with minimal human oversight. As adversaries increasingly adopt similar techniques, defenders must invest in continuous API visibility, strict enforcement of least‑privilege access controls, and robust monitoring for anomalous credential usage. The brutecat campaign serves as a potent reminder that the balance between attack and defense is shifting, and staying ahead requires embracing the same automation and intelligence that attackers now wield.