Sreeram KL

The written version of my BSides Riga and @bsidesvilnius talks is up: exploiting git integrations in cloud services, with four bugs I found in GCP (Looker, Dataform), including the one that won me MVH. nopnop.pro/2026/06/17/exp…

Source maps left enabled in production on a Google site exposed the full spec for First Party Auth v2, down to the header fields that no public writeup had. These exist so minified JS maps back to readable source for debugging, they hand that source to anyone who looks, comments and all. The fields it laid out were the ones FPAv2 folds into its signed authorization header, the internal scaffolding that normally never leaves Google. With them Brutecat could compute a valid FPAv2 header and authenticate to most of Google's API surface straight from the browser, one click per method, and since first-party auth is the way in for roughly nine of ten APIs carrying a client6.google.com alias, a single forgotten source map became working auth across nearly the whole estate. That was the layer the AI scanning sat on top of as it worked through Google's APIs, $670K in bounties over the following 3~4 months.

Hacking Google with A.I. for $500,000 brutecat.com/r/hacking-goog…

Not everyone who reports to Google Cloud VRP does a writeup, but critical bugs still show up in CVEs and release notes Made a tool that aggregates both so you can see the types of bugs getting found in GCP gcp-cves.brutecat.com

Full Disclosure: 1-Click GitHub Token Stealing via a VSCode Bug blog.ammaraskar.com/github-token-s…

The same bug class Google Project Zero's Ian Beer reported in 2017 as CVE-2017-13847. Apple patched it then. The fix regressed. Nine years later, the ghost came back. Read here : ganasec.com/blog/the-2017-… Patched across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. #GanaSec

StubZero: $148,337 RCE in Google Cloud Production brutecat.com/articles/googl…

Anyone I know interested in joining the Google Security Team in Zurich? Let me know, I can give a referral :D Here's the job posting: google.com/about/careers/…

New Google VRP writeup "1-click Oauth client takeover through henhouse UI" for a bounty of $13,340 by rand0m_unk0wn: random-unknown-username.github.io/random-unknown…

Read our technical walkthrough: nebusec.ai/research/v8-ma…

$14,337 Google Bug Bounty 🤑 Hacking Google Support: Leaking millions of customer records by Michael Dalton 🤯🔥 👨‍💻 Michael Dalton (michaeldalton.au) 🔗 michaeldalton.au/posts/hacking-…

Bug write-up for "Google AI Studio XSS" ndevtk.github.io/writeups/2026/… (ﾉ*･ω･)ﾉ

Authorization bypass in Google Cloud Workstations. → Manipulate a JSON parameter → Bypass domain validation → Steal the OAuth access token Full breakdown👇🏻 youtu.be/ePtb39i7sQw?si… via @YouTube Credits: @sivaneshashok & @kl_sree (OG Duo)

My first memory corruption report. Believe it or not, I didn't use AI to find the vulnerability or to write the exploit. I used it only to learn faster. Took me 5 months. It will be my last, starting new projects...

Finding Zero-Days with Any Model provos.org/p/finding-zero…

@yuvalavra 👏👏👏

The takeaway: If you don't account for how your cloud provider handles resources internally, you aren't really in control of your data. Big thanks to the @GoogleVRP team for the quick patches. Read the full breakdown here: focalsecurity.io/blog/kicking-t…

3-parts series on 0-click exploit chain targeting Android Pixel 9 From arbitrary code execution in mediacodec to kernel privilege escalation Part 1: projectzero.google/2026/01/pixel-… Part 2: projectzero.google/2026/01/pixel-… Part 3: projectzero.google/2026/01/pixel-… Research @natashenka and @__sethJenkins #infosec

The first version of APIClient has been released chromewebstore.google.com/detail/api-sec… it supports API learning with key tracking based on usage and Google/Swagger discovery documents plus XSS finding also replacement for postLogger extension. It's not perfect, create GitHub issues :)