Automating Discovery: How AI-Driven Fuzzing Unlocked $500,000 in Google Bug Bounties
In a landmark demonstration of automated vulnerability research, security researcher Arvin Shivram has secured $500,000 in bounties from Google’s Vulnerability Reward Program (VRP). By deploying a custom, AI-augmented fuzzing framework against Google’s internal API infrastructure, Shivram successfully identified critical access-control flaws across a massive attack surface in less than 90 days.
The campaign was catalyzed by Shivram’s participation in bugSWAT Mexico in October 2025, an event that prompted a deep re-examination of Google’s expansive API ecosystem. Shivram identified a significant strategic opportunity: Google frequently publishes machine-readable discovery documents and API specifications—analogous to OpenAPI/Swagger documentation—for both public and internal-facing services. This provided the perfect blueprint for an AI-driven exploitation engine.
Methodology: Deep Reconnaissance and Asset Harvesting
The research was not a “black box” AI experiment; it was preceded by rigorous, manual reconnaissance conducted by Shivram and his collaborator, Michael. To map the target environment, the team executed a multi-vector data collection strategy:
- Application Scraping: They ingested over 60,000 Android APKs, covering the entire historical versioning of the Google application suite.
- Traffic Interception: A custom-built Chrome extension was deployed to intercept live API telemetry across more than 2,800 Google-owned domains.
- Credential Harvesting: The team successfully extracted over 3,600 API keys embedded within native Google applications.
- Subdomain Enumeration: By leveraging certificate transparency logs and brute-force permutations, they identified more than 1,500 live internal APIs. Many of these were obscured by visibility controls, requiring specific parameters such as
?labels=GOOGLE_INTERNALto expose undocumented endpoints.
A pivotal technical milestone involved reverse-engineering Google’s proprietary First Party Authentication (FPA) v2 system. The team discovered that source maps for Google’s internal gapix library had been inadvertently exposed on android-review.googlesource.com. This leak exposed the underlying SHA-1 token generation algorithm, enabling the researchers to forge valid FPA authorization headers and bypass authentication barriers to reach sensitive internal endpoints.
The AI Engine: MCP-Integrated Fuzzing
To scale the exploitation phase, Shivram implemented the Model Context Protocol (MCP), integrating all 1,500 discovered API documentation files as tools for a large language model. As detailed in Brutecat’s technical breakdown, the AI was transformed into a specialized security agent.
The system was equipped with a suite of functional tools, including probe_api, report_vulnerability, and confirm_testing_complete. The core of the operation relied on a highly refined system prompt, engineered over a month to mitigate the “noise” typically associated with LLM-based testing. Early iterations struggled with false positives—such as flagging 500-series server errors or existence-enumeration oracles—but the framework eventually achieved a precision rate exceeding 50% for confirmed findings.
The research workflow utilized a custom API Explorer UI to validate AI-generated findings instantly. (Source: Brutecat)
Critical Findings and Impact
The most devastating vulnerability discovered was a Google Voice Account Takeover (ATO). The endpoint gfibervoice-pa.googleapis.com was found to be entirely unauthenticated. By providing only a victim’s Gaia ID, an attacker could use a simple curl command to retrieve sensitive PII, including phone numbers, Gmail recovery addresses, and call forwarding configurations. Furthermore, the API allowed unauthorized users to reassign Google Voice numbers to target accounts, a precursor to sophisticated SIM-swap attacks. Google classified this as P0/S0 and patched it within hours.
Other high-impact vulnerabilities included:
- AdExchange (Google Ads) ATO: An internal endpoint that exposed publisher account lists and a sandbox environment with broken access controls.
- Internal TAM Leak: A vulnerability in the
support.google.comCMS API that leaked internal Technology Account Manager (TAM) assignments.
Summary of Documented Vulnerabilities
| # | Vulnerability Type | Affected Service | Severity | Bounty |
|---|---|---|---|---|
| 1 | Google Voice ATO (Unauthenticated PII/Phone Takeover) | gfibervoice-pa.googleapis.com |
P0/S0 Critical | $20,000 |
| 2 | AdExchange ATO (Broken Access Control) | adexchangebuyer.clients6.google.com |
Critical | Undisclosed |
| 3 | TAM Data Leak | contentmanager.clients6.google.com |
High | $9,000 |
| 4 | API Explorer IDOR | Internal People API | Medium | $6,000 |
| 5 | Mass API Access Control Flaws | Various *.googleapis.com |
Med–Critical | Remainder of $500k |
This campaign represents a paradigm shift in offensive security. It proves that when AI is coupled with sophisticated reconnaissance and a “human-in-the-loop” validation model, it can uncover high-severity vulnerabilities at a velocity and scale that traditional manual testing cannot match.