AI Driven Fuzzing and API Discovery
A security researcher, Arvin Shivram from Brutecat Security, developed an AI driven fuzzing pipeline that systematically analyzed Google’s infrastructure. The approach targeted discovery documents and machine readable API specifications, similar to Swagger documentation, which list available endpoints, parameters, and methods. While some of these documents are publicly available, many internal Google APIs require valid API keys to access. To overcome this, Shivram and collaborator Michael Dalton harvested credentials at scale by scraping over 60,000 Android APKs, decrypting iOS binaries, and building a custom Chrome extension. This allowed them to access roughly 1,500 APIs and uncover systemic access control failures.
Impact and Scope of Vulnerabilities
In under three months, the pipeline identified vulnerabilities that earned more than $500,000 in bug bounties. The issues ranged from account takeover in Google Voice and Fiber services to unauthenticated access to internal privacy assessment APIs. Notable findings included the ability to leak unlisted or private YouTube video IDs, compromise Widevine DRM systems, and gain cross tenant read or write access through Translation Hub. One critical vulnerability allowed disclosure of Nest device owners through sequential ID chaining. The researcher also found issues in Vertex AI Search for Commerce, including prompt injection and unauthorized read or write access to intent classification configurations. One of the Cloud Console GraphQL vulnerabilities was assigned CVE-2026-8934.
Source: Cyber Security News
