Sivanesh Ashok

289 posts

Sivanesh Ashok

@sivaneshashok

Security Researcher | Google VRP

Katılım Nisan 2015

389 Takip Edilen1.5K Takipçiler

Sabitlenmiş Tweet

Sivanesh Ashok@sivaneshashok·1 Tem

@kl_sree and I won the 2nd, 3rd and 4th places in 2022's Google Cloud VRP prizes! Still hard to believe that we got 3 of them. Thank you @GoogleVRP for this wonderful platform❤️ security.googleblog.com/2023/06/google… #bugbounty

English

100

12.2K

Sivanesh Ashok@sivaneshashok·13 Şub

Beautiful technique, just came in clutch

Critical Thinking - Bug Bounty Podcast@ctbbpodcast

— Bonus tip: Here’s a solution that Justin came up. Instead of relying solely on fetchLater()’s timeout, you can chain redirects from your own server, each with a 300-second delay, which is the max Chrome allows. If you do this in a loop 20 times, you can stall the request for up to 90 minutes. That means even after the tab is closed, the request stays pending. Once the victim logs in, it completes using their session cookies. Massively extending what fetchLater() can do and turns it into a post-login execution vector without needing any session management tricks or iframe context.

English

672

Sivanesh Ashok retweetledi

OmerAF@omer_asfu·2 Şub

👼GatewayToHeaven (CVE-2025-13292). I discovered a cross-tenant vulnerability in @GoogleCloud's #Apigee, allowing me to access other organizations' data (and sometimes even plaintext JWTs of end users). Below is the full breakdown of the exploit chain⛓️

English

111

562

63.1K

Sivanesh Ashok retweetledi

Google VRP (Google Bug Hunters)@GoogleVRP·20 Oca

Want to see what top-notch security research looks like? Look no further than @j_domeracki's latest research, a standout contributor to the Google Cloud VRP! 🪲💪 jdsec.cloud/posts/2026-01-…

English

369

27.4K

Sivanesh Ashok@sivaneshashok·11 Ara

Thanks Valentino! ❤️

Valentino Massaro@valent1nee

Great episode!! cloud.withgoogle.com/cloudsecurity/…

English

1.1K

Sivanesh Ashok@sivaneshashok·5 Ara

The sandbox inheritance trick is gold! Loved this episode🔥

Critical Thinking - Bug Bounty Podcast@ctbbpodcast

HackerNotes TLDR for episode 151! — blog.criticalthinkingpodcast.io/p/hackernotes-… ►⠀Null Origin Bypasses: Sandbox iframes with null origins bypass event.origin checks against window.origin because string comparison of "null" passes validation. ►⠀CHIPS Partitioning: Cookies with the partitioned attribute are keyed by scheme + eTLD+1 + iframed host, not just domain. ►⠀Sandbox Inheritance: window.open() from sandboxed iframes inherits sandbox properties (except allow-top-level-navigation). ►⠀Client-Side Routes: Single-page applications expose their entire routing logic in JavaScript - reverse engineer route definitions to discover parameters and endpoints.

English

848

Sivanesh Ashok@sivaneshashok·13 Kas

@NightmareJS @Rhynorater @terminatorLM I'm reminded of doing shots on the trophy 😂 it's a tradition now

English

kat traxler@NightmareJS·13 Kas

@Rhynorater @terminatorLM Would love to ✨ Also hit up @terminatorLM And the current reigning Cloud MVH’s @sivaneshashok

English

163

Justin Gardner@Rhynorater·12 Kas

Which bug bounty hunters do you know of specialize in cloud security?

English

111

13.6K

Valentino Massaro@valent1nee·10 Kas

I'm really excited to share my first research article related to hacking Google Gemini! buganizer.cc/hacking-gemini… #bugSWAT #GoogleVRP

English

104

487

65.7K

Sivanesh Ashok@sivaneshashok·11 Kas

@valent1nee Great work Valentino! 🔥

English

623

Sivanesh Ashok@sivaneshashok·19 Eki

@ThisIsDK999 Happy birthday man! ✨

English

Debangshu 🇮🇳🥷@ThisIsDK999·18 Eki

🎂 22!

127

skull@brutecat·5 Eki

Wrapping up an amazing time at Google #bugSWAT Mexico 2025. It was a privilege meeting so many brilliant people including @epereiralopez, @kl_sree, @sivaneshashok and more. Thrilled that my report was featured in init.g and used to inspire students. That's truly rewarding.

English

12.2K

Sivanesh Ashok@sivaneshashok·6 Eki

@brutecat @epereiralopez @kl_sree Nice to meet you too :) Your work is legit so impressive! I wish more people could see it.

English

649

Sivanesh Ashok retweetledi

Eduardo Vela@sirdarckcat·26 Eyl

An in depth summary of the consequences of the reward changes we made in 2024! arxiv.org/abs/2509.16655

English

7.8K

Sivanesh Ashok@sivaneshashok·21 Eyl

@_naaash_ @sudhanshur705 💀

QME

245

Avi@_naaash_·21 Eyl

@sivaneshashok @sudhanshur705 I opened it, and felt like a sketchy site with multiple fake “download now” buttons 😭

English

497

Sivanesh Ashok@sivaneshashok·21 Eyl

Disingenuous to copy @sudhanshur705 's bug and not give him any credit. Especially when you are driving traffic to the ads in your blog.

English

5.1K

Sivanesh Ashok@sivaneshashok·21 Eyl

@sudhanshur705 Your writeup so good people have to copy it for likes 😏

English

230

sudi@sudhanshur705·21 Eyl

@sivaneshashok No suprise , all of their blogposts are a copy 🤡

English

411

Sivanesh Ashok@sivaneshashok·13 Eyl

@inspector_amb @njcve_ @GoogleVRP Haha I'm glad to hear from the actual GOAT 🐐

English

110

inspector-ambitious@inspector_amb·13 Eyl

@sivaneshashok @njcve_ @GoogleVRP GOAT!

English

135

Sivanesh Ashok@sivaneshashok·13 Eyl

@GoogleVRP wrote a blog about this bugswat bughunters.google.com/blog/536440198…

Sivanesh Ashok@sivaneshashok

@kl_sree and I took home MVH at Google Cloud bugSWAT in Sunnyvale 🎉 We submitted ~15 bugs, and even got to visit the Googleplex Huge shoutout to @sudhanshur705 and @rootxharsh for their amazing contribution! Big thanks to @GoogleVRP - the best bug bounty program out there 🐞🐛

English

612

Sivanesh Ashok@sivaneshashok·12 Eyl

@KhamarDhaval @kl_sree Thanks a lot! :)

English

Dhaval Khamar@KhamarDhaval·12 Eyl

Congratulations to @sivaneshashok And @kl_sree 🎉🎉🎉 bughunters.google.com/blog/536440198…

English

510

Sivanesh Ashok@sivaneshashok·5 Eyl

@j_domeracki @kl_sree @Rhynorater 😂😂

QME

Jakub Domeracki@j_domeracki·5 Eyl

@kl_sree @Rhynorater @sivaneshashok Shit, I went all in 😂

English

122

Justin Gardner@Rhynorater·4 Eyl

We're gonna have a really fun guest on the podcast within the next couple weeks...

English

107

12.4K

Sivanesh Ashok@sivaneshashok·31 Tem

@sudhanshur705 @MtnBer @kl_sree Such a nice bug 🔥

English

296

sudi@sudhanshur705·31 Tem

Last year I found a XSS bug in Google IDX here's a detail writeup about it. Hope you will enjoy it's kinda lengthy :p Shoutouts to @MtnBer for finding the original bug in Gitlab and @kl_sree @sivaneshashok for the required chains to complete the exploit. sudistark.github.io/2025/07/02/idx…

English

373

25.5K

Keşfet

@googlecloud @j_domeracki @NightmareJS @Rhynorater @terminatorLM @valent1nee @ThisIsDK999 @kl_sree