Security researchers from Brutecat have published a detailed account of how they built an AI-powered fuzzing pipeline — using Anthropic's Claude — to systematically probe Google's internal API infrastructure, ultimately earning over $500,000 in bug bounty payouts across roughly three months of automated testing.
The blog post, published this week, is one of the most technically exhaustive Google VRP (Vulnerability Reward Program) write-ups in recent memory, and it raises uncomfortable questions about how much attack surface large platform companies are quietly exposing through internal APIs that were never meant to be public.
The Setup: 60,000 APKs and 3,600 API Keys
The operation began with raw data collection. Brutecat and a collaborator scraped over 60,000 Android APKs — every version of every Google app ever released — to extract embedded API keys. They also built a Chrome extension to intercept live network traffic across 2,800+ Google web domains and decrypted every Google IPA binary they could find.
The result: roughly 3,600 unique API keys, filtered to confirm they belonged to google.com-owned GCP projects. These keys became the unlock mechanism for accessing Google's discovery documents — machine-readable API specs similar to Swagger docs — which map out every available endpoint, parameter, and method for a given API.
After Google's July 2025 removal of the standard /$discovery/rest path and the probing of visibility-gated endpoints using internal label parameters, such as ?labels=GOOGLE_INTERNAL, Brutecat assembled discovery documents for over 1,500 Google APIs.
Where AI Came In
Rather than manually testing thousands of endpoints, Brutecat fed the discovery documents into Claude as MCP (Model Context Protocol) tools, enabling the AI to probe APIs directly. The system prompt instructed the model to hunt specifically for IDOR vulnerabilities and broken access control—the class of bugs in which one user can access or modify another user's data without authorization.
Early attempts were noisy. The AI exited tests early, over-reported non-issues, and consumed too much context. After a month of iteration, Brutecat refined the approach: grouping endpoints into logical clusters, parsing cryptic Google error codes into plain English labels, and, crucially, attaching operation IDs to every probe so findings could be replayed with a single click in a custom-built API Explorer frontend.
With validation friction eliminated, the AI's signal-to-noise ratio improved dramatically. "Once these two problems were solved, the AI started finding bugs left and right with over 50% accuracy," Brutecat wrote.
What Google Left Exposed
The bugs that surfaced span some of Google's most sensitive internal services:
Google Voice / Google Fiber API — The gfibervoice-pa.googleapis.com endpoint had zero access controls. A single unauthenticated curl command, supplying any Google account's unobfuscated Gaia ID (Google's internal account identifier), could dump their Google Voice number, notification email, voicemail PIN, and — under specific conditions — their account recovery phone number. A separate endpoint allowed assigning a Google Voice number to any account without the victim's consent. This bug was rated P0/S0, patched within hours, and paid out $20,000.
AdExchange staging-to-prod bleed — Google's AdExchange staging environment (test-adexchangebuyer-googleapis.sandbox.google.com) had all its access controls stripped, but was reading and writing directly to production data. Anyone could list users of any AdExchange account, view contact emails, and add themselves as admin. Rewarded $30,000.
YouTube unlisted video leakage — YouTube's Content ID API inadvertently exposed the video IDs of unlisted partner uploads by embedding them in auto-generated asset names. Since requests could be polled every 30 seconds, an attacker could maintain a real-time feed of every unlisted video uploaded to YouTube by any channel in the Partner Program — including pre-release product announcement videos. Brutecat noted this could be weaponized for insider-knowledge bets on prediction markets. Rewarded $12,000.
Widevine DRM key exposure — The Widevine integration console API, which major studios like Netflix and Disney use to manage content protection keys, allowed any authenticated Google account to enumerate all organizations on the platform, dump their AES encryption keys, list their users, and add themselves to any organization. Rewarded $16,004.
Eldar internal privacy system — Google's internal eldar.corp.google.com system, used for managing employee privacy assessments and internal logs access requests, had its backend API publicly accessible on eldar-pa.clients6.google.com. Any external user could query confidential internal submissions. Rewarded $26,674.
PLX/DataHub — YouTube analytics tables — A staging DataHub API lets the researcher add themselves as the owner of Google's internal ytdata dataset, which contains petabytes of YouTube analytics. The researcher listed the table schemas — including s_bt_weekly_estimated_payments_avod_claim at 2.1 petabytes — before stopping. Rewarded $12,000.
Vertex AI Search for Commerce prompt injection — Any authenticated Google account could overwrite the conversationalSearchCustomizationConfig of any GCP project, essentially hijacking the AI system prompt that governs a retailer's customer-facing search assistant. Impact: arbitrary prompt injection into production AI, bypassing victim-defined blocklists. Rewarded $30,000.
Cloud Console GraphQL endpoint — Working with collaborator Michael Dalton, Brutecat discovered the Cloud Console's staging GraphQL API bypassed signature validation for unauthenticated requests. This exposed 3,448 entity/schema pairs to unauthenticated introspection, including App Engine request logs (which often contain password reset tokens and webhook URLs), Vertex Assistant session transcripts, and Google Maps Platform billing credit details, including customer PII entered by Google staff.
A Pattern, Not a One-Off
Brutecat's conclusion is blunt: the same vulnerability class surfaced repeatedly across entirely different product teams. Missing IAM checks, sandbox environments pointing at production databases, internal APIs exposed without authentication, GraphQL schemas with no authorization layer — none of these required a novel exploit. They required scale and patience.
That's precisely what the AI delivered. Google's server-side architecture is unusually standardized, and once Brutecat abstracted away the authentication complexity, the AI could focus entirely on testing each endpoint's logic.
All reported vulnerabilities have been patched. The Google App Engine bug (CVE-2026-8934) received an official CVE assignment.
Google has not publicly commented on the research.