Sivanesh Ashok

292 posts

Sivanesh Ashok

@sivaneshashok

Security Researcher | Google VRP

เข้าร่วม Nisan 2015

390 กำลังติดตาม1.5K ผู้ติดตาม

ทวีตที่ปักหมุด

Sivanesh Ashok@sivaneshashok·1 Tem

@kl_sree and I won the 2nd, 3rd and 4th places in 2022's Google Cloud VRP prizes! Still hard to believe that we got 3 of them. Thank you @GoogleVRP for this wonderful platform❤️ security.googleblog.com/2023/06/google… #bugbounty

English

101

12.4K

Sivanesh Ashok รีทวีตแล้ว

Sandiyo Christan@ChristanSandiyo·5 May

Authorization bypass in Google Cloud Workstations. → Manipulate a JSON parameter → Bypass domain validation → Steal the OAuth access token Full breakdown👇🏻 youtu.be/ePtb39i7sQw?si… via @YouTube Credits: @sivaneshashok & @kl_sree (OG Duo)

YouTube

English

1.6K

Sivanesh Ashok@sivaneshashok·5 May

@inspector_amb Wow! Congratulations 🔥

English

138

Sivanesh Ashok รีทวีตแล้ว

inspector-ambitious@inspector_amb·5 May

My first memory corruption report. Believe it or not, I didn't use AI to find the vulnerability or to write the exploit. I used it only to learn faster. Took me 5 months. It will be my last, starting new projects...

English

3.5K

105.9K

Sivanesh Ashok@sivaneshashok·13 Şub

Beautiful technique, just came in clutch

Critical Thinking - Bug Bounty Podcast@ctbbpodcast

— Bonus tip: Here’s a solution that Justin came up. Instead of relying solely on fetchLater()’s timeout, you can chain redirects from your own server, each with a 300-second delay, which is the max Chrome allows. If you do this in a loop 20 times, you can stall the request for up to 90 minutes. That means even after the tab is closed, the request stays pending. Once the victim logs in, it completes using their session cookies. Massively extending what fetchLater() can do and turns it into a post-login execution vector without needing any session management tricks or iframe context.

English

774

Sivanesh Ashok รีทวีตแล้ว

OmerAF@omer_asfu·2 Şub

👼GatewayToHeaven (CVE-2025-13292). I discovered a cross-tenant vulnerability in @GoogleCloud's #Apigee, allowing me to access other organizations' data (and sometimes even plaintext JWTs of end users). Below is the full breakdown of the exploit chain⛓️

English

110

559

64K

Sivanesh Ashok รีทวีตแล้ว

Google VRP (Google Bug Hunters)@GoogleVRP·20 Oca

Want to see what top-notch security research looks like? Look no further than @j_domeracki's latest research, a standout contributor to the Google Cloud VRP! 🪲💪 jdsec.cloud/posts/2026-01-…

English

368

27.6K

Sivanesh Ashok@sivaneshashok·11 Ara

Thanks Valentino! ❤️

Valentino Massaro@valent1nee

Great episode!! cloud.withgoogle.com/cloudsecurity/…

English

1.2K

Sivanesh Ashok@sivaneshashok·5 Ara

The sandbox inheritance trick is gold! Loved this episode🔥

Critical Thinking - Bug Bounty Podcast@ctbbpodcast

HackerNotes TLDR for episode 151! — blog.criticalthinkingpodcast.io/p/hackernotes-… ►⠀Null Origin Bypasses: Sandbox iframes with null origins bypass event.origin checks against window.origin because string comparison of "null" passes validation. ►⠀CHIPS Partitioning: Cookies with the partitioned attribute are keyed by scheme + eTLD+1 + iframed host, not just domain. ►⠀Sandbox Inheritance: window.open() from sandboxed iframes inherits sandbox properties (except allow-top-level-navigation). ►⠀Client-Side Routes: Single-page applications expose their entire routing logic in JavaScript - reverse engineer route definitions to discover parameters and endpoints.

English

912

Sivanesh Ashok@sivaneshashok·13 Kas

@NightmareJS @Rhynorater @terminatorLM I'm reminded of doing shots on the trophy 😂 it's a tradition now

English

kat traxler@NightmareJS·13 Kas

@Rhynorater @terminatorLM Would love to ✨ Also hit up @terminatorLM And the current reigning Cloud MVH’s @sivaneshashok

English

163

Justin Gardner@Rhynorater·12 Kas

Which bug bounty hunters do you know of specialize in cloud security?

English

109

13.6K

Valentino Massaro@valent1nee·10 Kas

I'm really excited to share my first research article related to hacking Google Gemini! buganizer.cc/hacking-gemini… #bugSWAT #GoogleVRP

English

104

488

65.9K

Sivanesh Ashok@sivaneshashok·11 Kas

@valent1nee Great work Valentino! 🔥

English

623

Sivanesh Ashok@sivaneshashok·19 Eki

@ThisIsDK999 Happy birthday man! ✨

English

Debangshu 🇮🇳🥷@ThisIsDK999·18 Eki

🎂 22!

127

skull@brutecat·5 Eki

Wrapping up an amazing time at Google #bugSWAT Mexico 2025. It was a privilege meeting so many brilliant people including @epereiralopez, @kl_sree, @sivaneshashok and more. Thrilled that my report was featured in init.g and used to inspire students. That's truly rewarding.

English

13.5K

Sivanesh Ashok@sivaneshashok·6 Eki

@brutecat @epereiralopez @kl_sree Nice to meet you too :) Your work is legit so impressive! I wish more people could see it.

English

833

Sivanesh Ashok รีทวีตแล้ว

Eduardo Vela@sirdarckcat·26 Eyl

An in depth summary of the consequences of the reward changes we made in 2024! arxiv.org/abs/2509.16655

English

7.8K

Sivanesh Ashok@sivaneshashok·21 Eyl

@_naaash_ @sudhanshur705 💀

QME

245

Avi@_naaash_·21 Eyl

@sivaneshashok @sudhanshur705 I opened it, and felt like a sketchy site with multiple fake “download now” buttons 😭

English

497

Sivanesh Ashok@sivaneshashok·21 Eyl

Disingenuous to copy @sudhanshur705 's bug and not give him any credit. Especially when you are driving traffic to the ads in your blog.

English

5.2K

Sivanesh Ashok@sivaneshashok·21 Eyl

@sudhanshur705 Your writeup so good people have to copy it for likes 😏

English

230

sudi@sudhanshur705·21 Eyl

@sivaneshashok No suprise , all of their blogposts are a copy 🤡

English

411

Sivanesh Ashok@sivaneshashok·13 Eyl

@inspector_amb @njcve_ @GoogleVRP Haha I'm glad to hear from the actual GOAT 🐐

English

110

inspector-ambitious@inspector_amb·13 Eyl

@sivaneshashok @njcve_ @GoogleVRP GOAT!

English

142

Sivanesh Ashok@sivaneshashok·13 Eyl

@GoogleVRP wrote a blog about this bugswat bughunters.google.com/blog/536440198…

Sivanesh Ashok@sivaneshashok

@kl_sree and I took home MVH at Google Cloud bugSWAT in Sunnyvale 🎉 We submitted ~15 bugs, and even got to visit the Googleplex Huge shoutout to @sudhanshur705 and @rootxharsh for their amazing contribution! Big thanks to @GoogleVRP - the best bug bounty program out there 🐞🐛

English

625

ค้นพบ

@YouTube @kl_sree @inspector_amb @GoogleCloud @j_domeracki @NightmareJS @Rhynorater @terminatorLM