A security researcher has revealed how artificial intelligence helped uncover a series of critical vulnerabilities within Google’s infrastructure, leading to more than $500,000 (approximately ₹4.29 crore) in bug bounty rewards. The researcher, known online as “brutecat,” claims to have identified over 20 significant security flaws across nearly 1,500 Google APIs and internal systems in less than three months.
The findings have drawn widespread attention in the cybersecurity community, highlighting the growing role of AI in large-scale vulnerability discovery and security research.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
The API Discovery Document Entryway
According to the researcher, the investigation began with Google’s discovery documents—machine-readable API specifications that describe available endpoints, parameters, and methods. While some of these documents are publicly accessible for services such as YouTube APIs, others relate to internal Google systems and are generally not intended for broad public access.
To expand the scope of testing, the researcher and a collaborator analyzed tens of thousands of Android applications and iOS binaries to identify valid API credentials. The effort reportedly involved examining more than 60,000 Android APKs and numerous other sources, ultimately yielding around 3,600 API keys that could be used to interact with various Google services.
Google Voice and Fiber Account Exposure
One of the most severe vulnerabilities was discovered in a Google Voice and Google Fiber-related API. According to the report, an attacker could allegedly obtain sensitive user information, including phone numbers and account recovery numbers, through a simple request. More critically, the flaw reportedly made it possible to associate a phone number with a victim’s Google account without authorization. Google classified the issue as extremely severe and patched it within hours of disclosure.
The researcher also identified vulnerabilities affecting advertising platforms, YouTube-related systems, Widevine DRM services, Translation Hub, Vertex AI Search, Cloud Console GraphQL components, and several other Google platforms. In some cases, the flaws could have enabled unauthorized access to sensitive data, privilege escalation, or exposure of internal resources.
Automating Audits with Claude AI
A key factor behind the discovery campaign was the use of a customized AI-powered testing framework built around Claude AI. The system was designed to automatically analyze APIs, identify potential access-control weaknesses, and generate vulnerability reports. Over time, the researcher refined the platform through prompt engineering and workflow improvements, allowing it to test large numbers of endpoints efficiently and flag suspicious behavior for manual review.
Cybersecurity experts say the case demonstrates how artificial intelligence is transforming offensive and defensive security practices alike. Tasks that previously required months of manual testing can now be accelerated significantly through automated AI-assisted analysis.
Balancing Automated Vulnerability Risks
A researcher at Algoritha Security said that AI-driven security testing is reshaping the way vulnerabilities are discovered across complex digital ecosystems. However, the expert cautioned that the same capabilities could also be exploited by malicious actors if advanced AI systems are used irresponsibly.
Google acknowledged the reported vulnerabilities through its responsible disclosure process and has since addressed most of the identified issues. The incident serves as a reminder that even the world’s largest technology companies must continuously evaluate and strengthen their security posture as AI-powered research tools become increasingly sophisticated.
The case is being viewed as a landmark example of how artificial intelligence is changing the cybersecurity landscape, enabling researchers to uncover hidden weaknesses at a scale that was previously difficult to achieve through traditional methods.
